Why does applying a condition to ec2:DescribeInstances in an IAM policy fail?

Question

When trying to configure which instances can be listed using policies, I remark the following issue:

• When the condition is not implemented, all instances are visible.
• When any condition is implemented, nothing is visible.

The example policy with condition is included:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1461235889000",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": "r3.xlarge"
                }
            }
        }
    ]
}

What is wrong here?

Answer 1

The ec2:DescribeInstances action does not support resource-level permissions or applying conditions.

From the linked documentation above:

...to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement. You cannot use Amazon EC2 condition keys for these actions.

So your usage of the * wildcard without a condition is valid, but applying any condition (as of this writing) will unfortunately not work as expected.

Further Reading:

• Supported Resource-Level Permissions for Amazon EC2 API Actions