0

I have been trying to create an IAM policy to restrict the permission of an user to only 1 instance of EC2 instance. EC2 instance description I created an user and associated that user to a group called "Restricted". And then I created a policy and attach the policy to the "Restricted" group.

This is my policy document created for this EC2 instance

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1474999077000",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "arn:aws:ec2:us-west-2:434174043592:instance/i-0b5a42e4827ffc147"
            ]
        }
    ]
}

I then open policy simulator to test the user's permission to EC2 actions.

I got all permissions denied. What am I doing wrong? How should I fix it? Is it possible to allow user access to Billing and only show billing information of that EC2 instance?

Thanks in advance!

Improve this question

1 Answer 1

Reset to default
0

AWS has a lot of work on IAM.

This is not supported and you need to put "*" in the resource element of your policy and play with the action element.

See what AWS says about this:

All Amazon EC2 actions can be used in an IAM policy to either grant or deny users permission to use that action. However, not all Amazon EC2 actions support resource-level permissions, which enable you to specify the resources on which an action can be performed.

Here is a list of what is not supported at the resource-level:

Improve this answer
2
  • Thanks. Do you know about limiting user access to billing information to certain region or instances? Or is it access to all or nothing?
    – Wen
    Commented Oct 3, 2016 at 17:42
  • Yes it is all or nothing.
    – Algeriassic
    Commented Oct 5, 2016 at 16:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .