When trying to configure which instances can be listed using policies, I remark the following issue:
The example policy with condition is included:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1461235889000",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "r3.xlarge"
}
}
}
]
}
What is wrong here?
The ec2:DescribeInstances
action does not support resource-level permissions or applying conditions.
From the linked documentation above:
...to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement. You cannot use Amazon EC2 condition keys for these actions.
So your usage of the * wildcard without a condition is valid, but applying any condition (as of this writing) will unfortunately not work as expected.
Further Reading:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With