AWS Amazon IAM user Policy to access ONLY one EC2 instance on EU-WEST-1 region

Question

I have read the AWS documentation and it wasn't helpful... at least not for me. I have read about IAM and the user policy on the EC2.

I want to make users have full access/(or just some actions allowed) only on ONE ec2 instance.

The region I'm using is eu-west-1(Ireland). I made this policy:

{

  "Version": "2012-10-17",

  "Statement": [{ 

    "Effect": "Allow",

    "Action":   "ec2:*", 

    "Resource": "arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/INSTANCE_ID"

  }]

}

and when I log in as the user, I see that I'm not authorized:

• You are not authorized to describe Running Instances
• You are not authorized to describe Elastic IPs
• You are not authorized to describe Volumes
• You are not authorized to describe Snapshots
• You are not authorized to describe Key Pairs
• You are not authorized to describe Load Balancers
• You are not authorized to describe Placement Groups
• You are not authorized to describe Security Groups

If I apply the following policy for the resource attribute:

"Resource": "arn:aws:ec2:*"

it's Ok but it's not what I need because users have access on all EC2 instances.

I want to know if this is a bug of AWS or there are problems with the eu-west-1 region or this policy isn't supported already? Or maybe I'm wrong, if so, please help me how to do

 

Answer 1

{

  "Statement": [

    {

      "Action": [

        "ec2:Describe*"

      ],

      "Effect": "Allow",

      "Resource": "*",

      "Condition": {

        "StringEquals": {

          "ec2:Region": "eu-west-1"

        }

      }

    }

  ]

}

Check out this link for a list of supported conditions - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html