I'm looking for a way to restrict the visibility ec2 instances to certain IAM accounts. I'd really like a way for a particular account to only be able to see the instances that it has created i.e. when it does a describeInstances only those it has created are present.
I've been looking into using custom IAM policies based on resource tags to do this and while the management looks to be ok, each account can still see instances created by other users using describeInstances.
Really I'm looking for a way to hide resources created by different IAM accounts from one another. Is this currently possible?
Unfortunately AWS Identity and Access Management (IAM) doesn't fully cover this particular aspect as of today, because the recently introduced Resource-Level Permissions for EC2 and RDS Resources are not yet available for all API actions, see this note from Amazon Resource Names for Amazon EC2:
You will find that all
ec2:Describe*actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing.See also Granting IAM Users Required Permissions for Amazon EC2 Resources for a concise summary of the above and details on the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular Amazon EC2 resources - this page also mentions that AWS will add support for additional actions, ARNs, and condition keys in 2014.
If your user's resources don't need to inter-operate, then a different option is to use multiple separate AWS accounts, then set up consolidated billing so that bills for all accounts are put together on one bill.
Each of your users would have their own AWS account. They would see only the resources in their own account.