AWS IAM: Restrict Console Access to only One InstanceAWS IAM policy issue: unable to permit all but RunInstancesHow can I chain AWS IAM AssumeRole API calls?EC2 create-image vs. secure credentialsHow to restrict IAM policy to not allow stop/terminate an EC2 instance but can create new instances?Least privilege AWS IAM policy for Foreman / RH Satellite to fully manage an EC2 compute resourceAWS IAM role for use within a classroomHow to grant access to an SQS to a specific IAM userAWS describe-instances limiting to taggedHow to grant IAM access to an already running EC2 intanceAllow other AWS services to invoke Lambda using IAM
A torrent of foreign terms
Proof for converting powers into roots
Why isn’t SHA-3 in wider use?
Do beef farmed pastures net remove carbon emissions?
Why did Gandalf use a sword against the Balrog?
Train from Nagpur to Raipur
TEMPO: play a (mp3) sound in animated GIF/PDF/SVG
What does the phrase "pull off sick wheelies and flips" mean here?
Email address etiquette - Which address should I use to contact professors?
Is this n-speak?
Can I not use QM-AM inequality to solve this?
What happens when electrons reach the battery?
How to take the beginning and end parts of a list with simpler syntax?
Bitcoin successfully deducted on sender wallet but did not reach receiver wallet
How to reduce Sinas Chinam
Why command hierarchy, if the chain of command is standing next to each other?
How to create events observer that only call when REST api dispatch events?
How to assign many blockers at the same time?
Visa National - No Exit Stamp From France on Return to the UK
0xF1 opcode-prefix on i80286
What gave Harry Potter the idea of writing in Tom Riddle's diary?
On math looking obvious in retrospect
Can a PC use the Levitate spell to avoid movement speed reduction from exhaustion?
Are differences between uniformly distributed numbers uniformly distributed?
AWS IAM: Restrict Console Access to only One Instance
AWS IAM policy issue: unable to permit all but RunInstancesHow can I chain AWS IAM AssumeRole API calls?EC2 create-image vs. secure credentialsHow to restrict IAM policy to not allow stop/terminate an EC2 instance but can create new instances?Least privilege AWS IAM policy for Foreman / RH Satellite to fully manage an EC2 compute resourceAWS IAM role for use within a classroomHow to grant access to an SQS to a specific IAM userAWS describe-instances limiting to taggedHow to grant IAM access to an already running EC2 intanceAllow other AWS services to invoke Lambda using IAM
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.
So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:
Breakdown
1. First took all the permissions away
2. Added permission to only one instance
"Statement": [
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition":
"condition":
,
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
"Condition":
"condition":
]
This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.
Don't the permissions work like that? Any help would be appreciated.
amazon-web-services amazon-ec2 amazon-iam
asked Apr 15 at 4:44
ServerInsightsServerInsights
261 silver badge5 bronze badges
add a comment |
I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.
So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:
Breakdown
1. First took all the permissions away
2. Added permission to only one instance
"Statement": [
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition":
"condition":
,
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
"Condition":
"condition":
]
This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.
Don't the permissions work like that? Any help would be appreciated.
amazon-web-services amazon-ec2 amazon-iam
asked Apr 15 at 4:44
ServerInsightsServerInsights
261 silver badge5 bronze badges
add a comment |
I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.
So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:
Breakdown
1. First took all the permissions away
2. Added permission to only one instance
"Statement": [
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition":
"condition":
,
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
"Condition":
"condition":
]
This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.
Don't the permissions work like that? Any help would be appreciated.
amazon-web-services amazon-ec2 amazon-iam
asked Apr 15 at 4:44
ServerInsightsServerInsights
261 silver badge5 bronze badges
I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.
So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:
Breakdown
1. First took all the permissions away
2. Added permission to only one instance
"Statement": [
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition":
"condition":
,
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
"Condition":
"condition":
]
This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.
Don't the permissions work like that? Any help would be appreciated.
amazon-web-services amazon-ec2 amazon-iam
amazon-web-services amazon-ec2 amazon-iam
asked Apr 15 at 4:44
ServerInsightsServerInsights
261 silver badge5 bronze badges
asked Apr 15 at 4:44
ServerInsightsServerInsights
261 silver badge5 bronze badges
asked Apr 15 at 4:44
ServerInsightsServerInsights
261 silver badge5 bronze badges
asked Apr 15 at 4:44
ServerInsightsServerInsights
261 silver badge5 bronze badges
asked Apr 15 at 4:44
ServerInsightsServerInsights
261 silver badge5 bronze badges
261 silver badge5 bronze badges
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.
However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.
You may need at least ec2:DescribeInstances to get a basic half-broken list.
If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.
I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.
Hope that helps :)
answered Apr 15 at 5:04
MLuMLu
11.3k2 gold badges26 silver badges47 bronze badges
add a comment |
Regarding hiding all instances but one from the user
This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.
Regarding trying to deny all, then override an allow
The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".
Policies work like this:
- The policy starts implicitly denying everything (this is implied deny)
- Any "Allow" statements override any implied denies (this is an explicit allow)
- Any "Deny" statements override all allows (this is an explicit deny)
So once you have a "Deny" statement, nothing can override that.
To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:
- Don't deny anything, allow only what you want to allow, or
- Deny everything except what you want to allow (in a single statement)
To accomplish what you want
The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"
]
answered Apr 16 at 13:19
Matt HouserMatt Houser
8,1191 gold badge18 silver badges20 bronze badges
add a comment |
You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"
This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information
answered Apr 15 at 4:57
Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan
2731 gold badge2 silver badges15 bronze badges
add a comment |
Thank you MLu and Sharuzzaman Ahmat Raslan!
Your inputs really helped me to get this done.
I am adding the summary of what I did below for others in case:
- First, need to make sure the right policy is attached to the user
group or in my case, the right policy is detached. The user had no
EC2 access. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*)",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"
]
Hope this helps someone stuck to save some time.
edited Apr 15 at 9:04
HBruijn
61.1k12 gold badges97 silver badges165 bronze badges
answered Apr 15 at 6:47
ServerInsightsServerInsights
261 silver badge5 bronze badges
Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces
– HBruijn
Apr 15 at 9:06
@HBruijn Thanks a lot!
– ServerInsights
Apr 15 at 12:52
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963055%2faws-iam-restrict-console-access-to-only-one-instance%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.
However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.
You may need at least ec2:DescribeInstances to get a basic half-broken list.
If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.
I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.
Hope that helps :)
answered Apr 15 at 5:04
MLuMLu
11.3k2 gold badges26 silver badges47 bronze badges
add a comment |
Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.
However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.
You may need at least ec2:DescribeInstances to get a basic half-broken list.
If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.
I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.
Hope that helps :)
answered Apr 15 at 5:04
MLuMLu
11.3k2 gold badges26 silver badges47 bronze badges
add a comment |
Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.
However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.
You may need at least ec2:DescribeInstances to get a basic half-broken list.
If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.
I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.
Hope that helps :)
answered Apr 15 at 5:04
MLuMLu
11.3k2 gold badges26 silver badges47 bronze badges
Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.
However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.
You may need at least ec2:DescribeInstances to get a basic half-broken list.
If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.
I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.
Hope that helps :)
answered Apr 15 at 5:04
MLuMLu
11.3k2 gold badges26 silver badges47 bronze badges
answered Apr 15 at 5:04
MLuMLu
11.3k2 gold badges26 silver badges47 bronze badges
answered Apr 15 at 5:04
MLuMLu
11.3k2 gold badges26 silver badges47 bronze badges
answered Apr 15 at 5:04
MLuMLu
11.3k2 gold badges26 silver badges47 bronze badges
11.3k2 gold badges26 silver badges47 bronze badges
add a comment |
add a comment |
Regarding hiding all instances but one from the user
This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.
Regarding trying to deny all, then override an allow
The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".
Policies work like this:
- The policy starts implicitly denying everything (this is implied deny)
- Any "Allow" statements override any implied denies (this is an explicit allow)
- Any "Deny" statements override all allows (this is an explicit deny)
So once you have a "Deny" statement, nothing can override that.
To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:
- Don't deny anything, allow only what you want to allow, or
- Deny everything except what you want to allow (in a single statement)
To accomplish what you want
The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"
]
answered Apr 16 at 13:19
Matt HouserMatt Houser
8,1191 gold badge18 silver badges20 bronze badges
add a comment |
Regarding hiding all instances but one from the user
This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.
Regarding trying to deny all, then override an allow
The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".
Policies work like this:
- The policy starts implicitly denying everything (this is implied deny)
- Any "Allow" statements override any implied denies (this is an explicit allow)
- Any "Deny" statements override all allows (this is an explicit deny)
So once you have a "Deny" statement, nothing can override that.
To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:
- Don't deny anything, allow only what you want to allow, or
- Deny everything except what you want to allow (in a single statement)
To accomplish what you want
The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"
]
answered Apr 16 at 13:19
Matt HouserMatt Houser
8,1191 gold badge18 silver badges20 bronze badges
add a comment |
Regarding hiding all instances but one from the user
This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.
Regarding trying to deny all, then override an allow
The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".
Policies work like this:
- The policy starts implicitly denying everything (this is implied deny)
- Any "Allow" statements override any implied denies (this is an explicit allow)
- Any "Deny" statements override all allows (this is an explicit deny)
So once you have a "Deny" statement, nothing can override that.
To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:
- Don't deny anything, allow only what you want to allow, or
- Deny everything except what you want to allow (in a single statement)
To accomplish what you want
The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"
]
answered Apr 16 at 13:19
Matt HouserMatt Houser
8,1191 gold badge18 silver badges20 bronze badges
Regarding hiding all instances but one from the user
This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.
Regarding trying to deny all, then override an allow
The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".
Policies work like this:
- The policy starts implicitly denying everything (this is implied deny)
- Any "Allow" statements override any implied denies (this is an explicit allow)
- Any "Deny" statements override all allows (this is an explicit deny)
So once you have a "Deny" statement, nothing can override that.
To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:
- Don't deny anything, allow only what you want to allow, or
- Deny everything except what you want to allow (in a single statement)
To accomplish what you want
The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"
]
answered Apr 16 at 13:19
Matt HouserMatt Houser
8,1191 gold badge18 silver badges20 bronze badges
answered Apr 16 at 13:19
Matt HouserMatt Houser
8,1191 gold badge18 silver badges20 bronze badges
answered Apr 16 at 13:19
Matt HouserMatt Houser
8,1191 gold badge18 silver badges20 bronze badges
answered Apr 16 at 13:19
Matt HouserMatt Houser
8,1191 gold badge18 silver badges20 bronze badges
8,1191 gold badge18 silver badges20 bronze badges
add a comment |
add a comment |
You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"
This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information
answered Apr 15 at 4:57
Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan
2731 gold badge2 silver badges15 bronze badges
add a comment |
You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"
This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information
answered Apr 15 at 4:57
Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan
2731 gold badge2 silver badges15 bronze badges
add a comment |
You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"
This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information
answered Apr 15 at 4:57
Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan
2731 gold badge2 silver badges15 bronze badges
You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"
This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information
answered Apr 15 at 4:57
Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan
2731 gold badge2 silver badges15 bronze badges
answered Apr 15 at 4:57
Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan
2731 gold badge2 silver badges15 bronze badges
answered Apr 15 at 4:57
Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan
2731 gold badge2 silver badges15 bronze badges
answered Apr 15 at 4:57
Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan
2731 gold badge2 silver badges15 bronze badges
2731 gold badge2 silver badges15 bronze badges
add a comment |
add a comment |
Thank you MLu and Sharuzzaman Ahmat Raslan!
Your inputs really helped me to get this done.
I am adding the summary of what I did below for others in case:
- First, need to make sure the right policy is attached to the user
group or in my case, the right policy is detached. The user had no
EC2 access. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*)",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"
]
Hope this helps someone stuck to save some time.
edited Apr 15 at 9:04
HBruijn
61.1k12 gold badges97 silver badges165 bronze badges
answered Apr 15 at 6:47
ServerInsightsServerInsights
261 silver badge5 bronze badges
Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces
– HBruijn
Apr 15 at 9:06
@HBruijn Thanks a lot!
– ServerInsights
Apr 15 at 12:52
add a comment |
Thank you MLu and Sharuzzaman Ahmat Raslan!
Your inputs really helped me to get this done.
I am adding the summary of what I did below for others in case:
- First, need to make sure the right policy is attached to the user
group or in my case, the right policy is detached. The user had no
EC2 access. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*)",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"
]
Hope this helps someone stuck to save some time.
edited Apr 15 at 9:04
HBruijn
61.1k12 gold badges97 silver badges165 bronze badges
answered Apr 15 at 6:47
ServerInsightsServerInsights
261 silver badge5 bronze badges
Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces
– HBruijn
Apr 15 at 9:06
@HBruijn Thanks a lot!
– ServerInsights
Apr 15 at 12:52
add a comment |
Thank you MLu and Sharuzzaman Ahmat Raslan!
Your inputs really helped me to get this done.
I am adding the summary of what I did below for others in case:
- First, need to make sure the right policy is attached to the user
group or in my case, the right policy is detached. The user had no
EC2 access. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*)",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"
]
Hope this helps someone stuck to save some time.
edited Apr 15 at 9:04
HBruijn
61.1k12 gold badges97 silver badges165 bronze badges
answered Apr 15 at 6:47
ServerInsightsServerInsights
261 silver badge5 bronze badges
Thank you MLu and Sharuzzaman Ahmat Raslan!
Your inputs really helped me to get this done.
I am adding the summary of what I did below for others in case:
- First, need to make sure the right policy is attached to the user
group or in my case, the right policy is detached. The user had no
EC2 access. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "*)",
"Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"
]
Hope this helps someone stuck to save some time.
edited Apr 15 at 9:04
HBruijn
61.1k12 gold badges97 silver badges165 bronze badges
answered Apr 15 at 6:47
ServerInsightsServerInsights
261 silver badge5 bronze badges
edited Apr 15 at 9:04
HBruijn
61.1k12 gold badges97 silver badges165 bronze badges
edited Apr 15 at 9:04
HBruijn
61.1k12 gold badges97 silver badges165 bronze badges
edited Apr 15 at 9:04
HBruijn
61.1k12 gold badges97 silver badges165 bronze badges
61.1k12 gold badges97 silver badges165 bronze badges
answered Apr 15 at 6:47
ServerInsightsServerInsights
261 silver badge5 bronze badges
answered Apr 15 at 6:47
ServerInsightsServerInsights
261 silver badge5 bronze badges
answered Apr 15 at 6:47
ServerInsightsServerInsights
261 silver badge5 bronze badges
261 silver badge5 bronze badges
Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces
– HBruijn
Apr 15 at 9:06
@HBruijn Thanks a lot!
– ServerInsights
Apr 15 at 12:52
add a comment |
Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces
– HBruijn
Apr 15 at 9:06
@HBruijn Thanks a lot!
– ServerInsights
Apr 15 at 12:52
Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces
– HBruijn
Apr 15 at 9:06
Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces
– HBruijn
Apr 15 at 9:06
@HBruijn Thanks a lot!
– ServerInsights
Apr 15 at 12:52
@HBruijn Thanks a lot!
– ServerInsights
Apr 15 at 12:52
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963055%2faws-iam-restrict-console-access-to-only-one-instance%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
