0

I'm looking for a possible idea to restrict the visibility ec2 instances to certain IAM users under the same root account.

custom policies doesn't seem to work because describeInstances doesn't support resource-level permissions.

Is there any way to hide instances created by different IAM users from one another. Is this currently possible?

Maggy
  • 1

2 Answers2

0

DescribeInstances api action does not support resource-level permissions per https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions

David Filiatrault
  • 543
  • 3
  • 9
  • hi David, so as per this we will not be able to restrict access to specific instances? – Maggy Jan 23 '18 at 05:36
  • The only way to restrict access to DescribeInstances info to a subset of instances is to put the instances in a separate AWS account. If visibility is not the real issue, but actual ability to connect to ports is what you want to control, then you could use SecurityGroups if users will be coming from different IPs. Or you can use SSH keys. Please explain the scenario which leads you to want to restrict access to the DescribeInstances call, as I've never seen a good reason to do that. – David Filiatrault Jan 23 '18 at 19:31
0

No, it is not possible. Quote from Amazon EC2 Permission Attributes :

you can't restrict permissions for specific users within the specified AWS account

I recommend to ask this the official AWS support, too. Maybe you are lucky and the documentation is outdated.

Solution could be to create different accounts.

Fabian
  • 397
  • 3
  • 17