6

I'm looking for a way to restrict the visibility ec2 instances to certain IAM accounts. I'd really like a way for a particular account to only be able to see the instances that it has created i.e. when it does a describeInstances only those it has created are present.

I've been looking into using custom IAM policies based on resource tags to do this and while the management looks to be ok, each account can still see instances created by other users using describeInstances.

Really I'm looking for a way to hide resources created by different IAM accounts from one another. Is this currently possible?

sgargan
  • 235
  • 1
  • 3
  • 5

2 Answers2

7

Unfortunately AWS Identity and Access Management (IAM) doesn't fully cover this particular aspect as of today, because the recently introduced Resource-Level Permissions for EC2 and RDS Resources are not yet available for all API actions, see this note from Amazon Resource Names for Amazon EC2:

Important Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional Amazon EC2 resources later. For information about which ARNs you can use with which Amazon EC2 API actions, as well as supported condition keys for each ARN, see Supported Resources and Conditions for Amazon EC2 API Actions.

You will find that all ec2:Describe* actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing.

See also Granting IAM Users Required Permissions for Amazon EC2 Resources for a concise summary of the above and details on the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular Amazon EC2 resources - this page also mentions that AWS will add support for additional actions, ARNs, and condition keys in 2014.

Steffen Opel
  • 5,638
  • 37
  • 55
  • This is a pity! I'll keep an eye out for its availability. Thanks for your answer. – sgargan Mar 18 '14 at 20:21
  • Has there been any change in this status? Is it possible to achieve the same as of Oct 2014? – Anshu Prateek Oct 09 '14 at 06:38
  • 1
    @AnshuPrateek - while the list of [Supported Resources and Conditions for Amazon EC2 API Actions](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html) for resource-level permissions has been expanded over time, it still doesn't include the `ec2:Describe*` API actions as of today, unfortunately (and somewhat surprisingly too). – Steffen Opel Oct 09 '14 at 10:55
  • It's really quite surprising that *as of 2023* this is still not possible, `DescribeInstances` resource limiting seems to only work *if you know in advance* the instances you want to allow using full ARN identifiers, but not based on resource tags. – dlouzan Mar 31 '23 at 15:50
1

If your user's resources don't need to inter-operate, then a different option is to use multiple separate AWS accounts, then set up consolidated billing so that bills for all accounts are put together on one bill.

Each of your users would have their own AWS account. They would see only the resources in their own account.

Matt Houser
  • 10,053
  • 1
  • 28
  • 28
  • I was holding this in reserve as a last resort but I did not know about the consolidated billing. I think I'll have to go this route. – sgargan Mar 18 '14 at 20:20