Menu
I am trying to apply policy to allow an IAM user to access only a particular instance of EC2. Here is the policy I am applying:
{
"Statement": [
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:my_account_id:instance/my_instance_id"
],
"Effect": "Allow"
}
]
}
However, the user is unable to see any EC2 instances on the dashboard. What am I doing wrong?
413
This blogpost addresses your exact problem: https://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions
It uses this policy as example (same as yours except for the * instead of specific instance id):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
}
]
}
And updates it as follows to address the not authorized problem:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:Describe*"],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
