AWS IAM Policy grant permissions for some EC2 instances

Question

I want to restrict access for a specific user to see just few EC2 instances. I created a new user in IAM Roles and I attached a new Policy to it. The content of that Policy is attached below. I tried to look over documentation and to do it myself like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": [
                "arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID1",
                "arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID2"
            ]
        }
    ]
}

I placed my region,ACCOUNT_ID(the owner id, not of the new user created) and instance-id, but when I connect with that user and I go to list all Instances I got this An error occurred fetching instance data: You are not authorized to perform this operation..

After I placed the code in JSON editor, in Policy Review step I got this message:

This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining Learn more

The AWS documentation mention exactly the same configuration or these examples.

Answer 1

I assume you connect as that user in the console (but it would be the same with CLI) Here is what I think is happening:

To list all the instances, the console most probably calls the DescribeInstances API. As per the list of action/resources/tags that can be used in IAM policy, this API does not support the resource filter in IAM.

This means your user has no authorization to list instances and they will not be shown in the console. You can validate this theory by using the CLI to request the details of a specific instance id, if my hypothesis is correct, it will be authorized.

As DescribeInstances can not be restricted by resource or tags, I don't think it is possible to filter the instance list for a user.

To have the console working, you'll need to add the following statement in your IAM policy

 "Statement": [
     { your existing statement }, 

     {
         "Effect": "Allow",
         "Action": "ec2:DescribeInstances",
         "Resource": "*"
     }
 ]

Please report if I was right :-) The example you mentioned in your question shows exactly that : Resources = * on DescribeInstances and Resources specific InstanceId on other operations.