amazon-web-services - AWS IAM Policy grant permissions for some EC2 instances

问题描述

I want to restrict access for a specific user to see just few EC2 instances. I created a new user in IAM Roles and I attached a new Policy to it. The content of that Policy is attached below. I tried to look over documentation and to do it myself like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": [
                "arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID1",
                "arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID2"
            ]
        }
    ]
}

I placed my region,ACCOUNT_ID(the owner id, not of the new user created) and instance-id, but when I connect with that user and I go to list all Instances I got this An error occurred fetching instance data: You are not authorized to perform this operation..

After I placed the code in JSON editor, in Policy Review step I got this message:

This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining Learn more

The AWS documentation mention exactly the same configuration or these examples.

标签： amazon-web-servicesamazon-ec2amazon-iam

我假设您在控制台中以该用户的身份连接（但与 CLI 相同）这是我认为正在发生的事情：

要列出所有实例，控制台很可能会调用DescribeInstances API。根据可在 IAM 策略中使用的操作/资源/标签列表，此 API 不支持 IAM 中的资源过滤器。

这意味着您的用户无权列出实例，并且它们不会显示在控制台中。您可以通过使用 CLI 请求特定实例 id 的详细信息来验证这个理论，如果我的假设是正确的，它将被授权。

由于 DescribeInstances 不受资源或标签的限制，我认为无法为用户过滤实例列表。

要使控制台正常工作，您需要在 IAM 策略中添加以下语句

 "Statement": [
     { your existing statement }, 

     {
         "Effect": "Allow",
         "Action": "ec2:DescribeInstances",
         "Resource": "*"
     }
 ]

如果我是对的，请报告:-)您在问题中提到的示例完全表明：在其他操作Resources = *上DescribeInstances和资源特定的 InstanceId 上。

amazon-web-services - AWS IAM Policy grant permissions for some EC2 instances

问题描述

解决方案

推荐阅读