Home / server / Questions / 598807
Accepted
sivann
Asked: 2014-05-28 05:13:52 +0800 CST

unable to delegate ec2 instance management to group (IAM Policy)

  • 772

we need to delegate management of several instances through AWS console to one of our clients. For this purpose we created a new IAM group.

We need this group to only list and modify specific EC2 instances, e.g. using a tag. We tried using the read-only ec2 template, and modifying it by adding:

  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*",
      "Condition": {
         "StringEquals": {
            "ec2:ResourceTag/Tenant": "clientname"
         }
      }      
    },...

This unfortunately results to "You are not authorized to describe Running Instances" for the aws console, and no instances are shown, although the correct tag exists. Please advise on how can we filter instance listing based on tags or other methods (e.g. VPC id).

amazon-ec2

1 Answers

  1. Best Answer

    It can't be done. Amazon support answered this:

    Unfortunately there isn't a way to only see certain instance(based on ec2-tag, vpc id etc). The "ec2:Describe*" API actions does not support any conditions or resource level ARNs.However you can have a policy wherein all the IAM Group will be able to see all the instances, but will only be able to perform actions like start, stop,reboot and terminate instances on instances with a specific tag

    • 0