AWS IAM: Restrict Console Access to only One Instance Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Come Celebrate our 10 Year Anniversary!Amazon AWS IAM Policy for single VPC SubnetAmazon AWS IAM Policy based in time of dayHow can I chain AWS IAM AssumeRole API calls?How to restrict IAM policy to not allow stop/terminate an EC2 instance but can create new instances?AWS IAM role for use within a classroomHow to grant access to an SQS to a specific IAM userHow to grant IAM access to an already running EC2 intanceAmazon web service visibility restriction to instances under same accountAWS Force MFA Policy IssueAllow other AWS services to invoke Lambda using IAM

Moving a wrapfig vertically to encroach partially on a subsection title

Caught masturbating at work

Can two people see the same photon?

Why do early math courses focus on the cross sections of a cone and not on other 3D objects?

Does the Mueller report show a conspiracy between Russia and the Trump Campaign?

What does 丫 mean? 丫是什么意思?

Can you force honesty by using the Speak with Dead and Zone of Truth spells together?

Would color changing eyes affect vision?

Why is std::move not [[nodiscard]] in C++20?

If Windows 7 doesn't support WSL, then what is "Subsystem for UNIX-based Applications"?

What does Turing mean by this statement?

Delete free apps from library

How do living politicians protect their readily obtainable signatures from misuse?

Nose gear failure in single prop aircraft: belly landing or nose-gear up landing?

What is the difference between a "ranged attack" and a "ranged weapon attack"?

How does light 'choose' between wave and particle behaviour?

Should a wizard buy fine inks every time he want to copy spells into his spellbook?

Why weren't discrete x86 CPUs ever used in game hardware?

I can't produce songs

How many time has Arya actually used Needle?

One-one communication

What would you call this weird metallic apparatus that allows you to lift people?

A term for a woman complaining about things/begging in a cute/childish way

Why not send Voyager 3 and 4 following up the paths taken by Voyager 1 and 2 to re-transmit signals of later as they fly away from Earth?



AWS IAM: Restrict Console Access to only One Instance



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Amazon AWS IAM Policy for single VPC SubnetAmazon AWS IAM Policy based in time of dayHow can I chain AWS IAM AssumeRole API calls?How to restrict IAM policy to not allow stop/terminate an EC2 instance but can create new instances?AWS IAM role for use within a classroomHow to grant access to an SQS to a specific IAM userHow to grant IAM access to an already running EC2 intanceAmazon web service visibility restriction to instances under same accountAWS Force MFA Policy IssueAllow other AWS services to invoke Lambda using IAM



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








2















I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.



So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

Breakdown

1. First took all the permissions away

2. Added permission to only one instance



 
"Statement": [

"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition":
"condition":

,

"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
"Condition":
"condition":


]



This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.

AWS Console with no permission to any instance data



Don't the permissions work like that? Any help would be appreciated.










share|improve this question




























    2















    I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.



    So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

    Breakdown

    1. First took all the permissions away

    2. Added permission to only one instance



     
    "Statement": [

    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition":
    "condition":

    ,

    "Effect": "Allow",
    "Action": "*",
    "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
    "Condition":
    "condition":


    ]



    This works for the 1st part only ie Denying to all Instances.
    The 2nd part doesn't seem to work.

    AWS Console with no permission to any instance data



    Don't the permissions work like that? Any help would be appreciated.










    share|improve this question
























      2












      2








      2








      I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.



      So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

      Breakdown

      1. First took all the permissions away

      2. Added permission to only one instance



       
      "Statement": [

      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition":
      "condition":

      ,

      "Effect": "Allow",
      "Action": "*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
      "Condition":
      "condition":


      ]



      This works for the 1st part only ie Denying to all Instances.
      The 2nd part doesn't seem to work.

      AWS Console with no permission to any instance data



      Don't the permissions work like that? Any help would be appreciated.










      share|improve this question














      I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.



      So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

      Breakdown

      1. First took all the permissions away

      2. Added permission to only one instance



       
      "Statement": [

      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition":
      "condition":

      ,

      "Effect": "Allow",
      "Action": "*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
      "Condition":
      "condition":


      ]



      This works for the 1st part only ie Denying to all Instances.
      The 2nd part doesn't seem to work.

      AWS Console with no permission to any instance data



      Don't the permissions work like that? Any help would be appreciated.







      amazon-web-services amazon-ec2 amazon-iam






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 15 at 4:44









      ServerInsightsServerInsights

      2115




      2115




















          4 Answers
          4






          active

          oldest

          votes


















          3














          Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



          However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



          You may need at least ec2:DescribeInstances to get a basic half-broken list.



          If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



          I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



          Hope that helps :)






          share|improve this answer






























            0














            You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



            This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



            See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information






            share|improve this answer






























              0














              Thank you MLu and Sharuzzaman Ahmat Raslan!



              Your inputs really helped me to get this done.
              I am adding the summary of what I did below for others in case:



              1. First, need to make sure the right policy is attached to the user
                group or in my case, the right policy is detached. The user had no
                EC2 access.


              2. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances




                "Version": "2012-10-17",
                "Statement": [

                "Effect": "Allow",
                "Action": "ec2:Describe*",
                "Resource": "*"
                ,

                "Effect": "Allow",
                "Action": "*)",
                "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"

                ]



              Hope this helps someone stuck to save some time.






              share|improve this answer

























              • Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces

                – HBruijn
                Apr 15 at 9:06











              • @HBruijn Thanks a lot!

                – ServerInsights
                Apr 15 at 12:52


















              0














              Regarding hiding all instances but one from the user



              This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.



              Regarding trying to deny all, then override an allow



              The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".



              Policies work like this:



              1. The policy starts implicitly denying everything (this is implied deny)

              2. Any "Allow" statements override any implied denies (this is an explicit allow)

              3. Any "Deny" statements override all allows (this is an explicit deny)

              So once you have a "Deny" statement, nothing can override that.



              To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:



              • Don't deny anything, allow only what you want to allow, or

              • Deny everything except what you want to allow (in a single statement)

              To accomplish what you want



              The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:




              "Version": "2012-10-17",
              "Statement": [

              "Effect": "Allow",
              "Action": "ec2:Describe*",
              "Resource": "*"
              ,

              "Effect": "Allow",
              "Action": "*",
              "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"

              ]






              share|improve this answer























                Your Answer








                StackExchange.ready(function()
                var channelOptions =
                tags: "".split(" "),
                id: "2"
                ;
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function()
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled)
                StackExchange.using("snippets", function()
                createEditor();
                );

                else
                createEditor();

                );

                function createEditor()
                StackExchange.prepareEditor(
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: true,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: 10,
                bindNavPrevention: true,
                postfix: "",
                imageUploader:
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                ,
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                );



                );













                draft saved

                draft discarded


















                StackExchange.ready(
                function ()
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963055%2faws-iam-restrict-console-access-to-only-one-instance%23new-answer', 'question_page');

                );

                Post as a guest















                Required, but never shown

























                4 Answers
                4






                active

                oldest

                votes








                4 Answers
                4






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                3














                Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



                However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



                You may need at least ec2:DescribeInstances to get a basic half-broken list.



                If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



                I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



                Hope that helps :)






                share|improve this answer



























                  3














                  Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



                  However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



                  You may need at least ec2:DescribeInstances to get a basic half-broken list.



                  If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



                  I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



                  Hope that helps :)






                  share|improve this answer

























                    3












                    3








                    3







                    Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



                    However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



                    You may need at least ec2:DescribeInstances to get a basic half-broken list.



                    If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



                    I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



                    Hope that helps :)






                    share|improve this answer













                    Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



                    However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



                    You may need at least ec2:DescribeInstances to get a basic half-broken list.



                    If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



                    I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



                    Hope that helps :)







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Apr 15 at 5:04









                    MLuMLu

                    9,94722445




                    9,94722445























                        0














                        You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



                        This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



                        See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information






                        share|improve this answer



























                          0














                          You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



                          This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



                          See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information






                          share|improve this answer

























                            0












                            0








                            0







                            You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



                            This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



                            See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information






                            share|improve this answer













                            You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



                            This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



                            See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Apr 15 at 4:57









                            Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan

                            2631213




                            2631213





















                                0














                                Thank you MLu and Sharuzzaman Ahmat Raslan!



                                Your inputs really helped me to get this done.
                                I am adding the summary of what I did below for others in case:



                                1. First, need to make sure the right policy is attached to the user
                                  group or in my case, the right policy is detached. The user had no
                                  EC2 access.


                                2. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances




                                  "Version": "2012-10-17",
                                  "Statement": [

                                  "Effect": "Allow",
                                  "Action": "ec2:Describe*",
                                  "Resource": "*"
                                  ,

                                  "Effect": "Allow",
                                  "Action": "*)",
                                  "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"

                                  ]



                                Hope this helps someone stuck to save some time.






                                share|improve this answer

























                                • Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces

                                  – HBruijn
                                  Apr 15 at 9:06











                                • @HBruijn Thanks a lot!

                                  – ServerInsights
                                  Apr 15 at 12:52















                                0














                                Thank you MLu and Sharuzzaman Ahmat Raslan!



                                Your inputs really helped me to get this done.
                                I am adding the summary of what I did below for others in case:



                                1. First, need to make sure the right policy is attached to the user
                                  group or in my case, the right policy is detached. The user had no
                                  EC2 access.


                                2. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances




                                  "Version": "2012-10-17",
                                  "Statement": [

                                  "Effect": "Allow",
                                  "Action": "ec2:Describe*",
                                  "Resource": "*"
                                  ,

                                  "Effect": "Allow",
                                  "Action": "*)",
                                  "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"

                                  ]



                                Hope this helps someone stuck to save some time.






                                share|improve this answer

























                                • Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces

                                  – HBruijn
                                  Apr 15 at 9:06











                                • @HBruijn Thanks a lot!

                                  – ServerInsights
                                  Apr 15 at 12:52













                                0












                                0








                                0







                                Thank you MLu and Sharuzzaman Ahmat Raslan!



                                Your inputs really helped me to get this done.
                                I am adding the summary of what I did below for others in case:



                                1. First, need to make sure the right policy is attached to the user
                                  group or in my case, the right policy is detached. The user had no
                                  EC2 access.


                                2. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances




                                  "Version": "2012-10-17",
                                  "Statement": [

                                  "Effect": "Allow",
                                  "Action": "ec2:Describe*",
                                  "Resource": "*"
                                  ,

                                  "Effect": "Allow",
                                  "Action": "*)",
                                  "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"

                                  ]



                                Hope this helps someone stuck to save some time.






                                share|improve this answer















                                Thank you MLu and Sharuzzaman Ahmat Raslan!



                                Your inputs really helped me to get this done.
                                I am adding the summary of what I did below for others in case:



                                1. First, need to make sure the right policy is attached to the user
                                  group or in my case, the right policy is detached. The user had no
                                  EC2 access.


                                2. Next, I used the Inline Policy to add access. I added the below policy which, as mentioned by MLu would allow not stop listing the instances but will not allow updating of the other instances




                                  "Version": "2012-10-17",
                                  "Statement": [

                                  "Effect": "Allow",
                                  "Action": "ec2:Describe*",
                                  "Resource": "*"
                                  ,

                                  "Effect": "Allow",
                                  "Action": "*)",
                                  "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-xxxxxxxxxxxxxxxxx"

                                  ]



                                Hope this helps someone stuck to save some time.







                                share|improve this answer














                                share|improve this answer



                                share|improve this answer








                                edited Apr 15 at 9:04









                                HBruijn

                                56.8k1190150




                                56.8k1190150










                                answered Apr 15 at 6:47









                                ServerInsightsServerInsights

                                2115




                                2115












                                • Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces

                                  – HBruijn
                                  Apr 15 at 9:06











                                • @HBruijn Thanks a lot!

                                  – ServerInsights
                                  Apr 15 at 12:52

















                                • Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces

                                  – HBruijn
                                  Apr 15 at 9:06











                                • @HBruijn Thanks a lot!

                                  – ServerInsights
                                  Apr 15 at 12:52
















                                Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces

                                – HBruijn
                                Apr 15 at 9:06





                                Where normally 4 leading spaces pre-format text/code in an itemized list you instead need to use 8 spaces

                                – HBruijn
                                Apr 15 at 9:06













                                @HBruijn Thanks a lot!

                                – ServerInsights
                                Apr 15 at 12:52





                                @HBruijn Thanks a lot!

                                – ServerInsights
                                Apr 15 at 12:52











                                0














                                Regarding hiding all instances but one from the user



                                This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.



                                Regarding trying to deny all, then override an allow



                                The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".



                                Policies work like this:



                                1. The policy starts implicitly denying everything (this is implied deny)

                                2. Any "Allow" statements override any implied denies (this is an explicit allow)

                                3. Any "Deny" statements override all allows (this is an explicit deny)

                                So once you have a "Deny" statement, nothing can override that.



                                To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:



                                • Don't deny anything, allow only what you want to allow, or

                                • Deny everything except what you want to allow (in a single statement)

                                To accomplish what you want



                                The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:




                                "Version": "2012-10-17",
                                "Statement": [

                                "Effect": "Allow",
                                "Action": "ec2:Describe*",
                                "Resource": "*"
                                ,

                                "Effect": "Allow",
                                "Action": "*",
                                "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"

                                ]






                                share|improve this answer



























                                  0














                                  Regarding hiding all instances but one from the user



                                  This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.



                                  Regarding trying to deny all, then override an allow



                                  The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".



                                  Policies work like this:



                                  1. The policy starts implicitly denying everything (this is implied deny)

                                  2. Any "Allow" statements override any implied denies (this is an explicit allow)

                                  3. Any "Deny" statements override all allows (this is an explicit deny)

                                  So once you have a "Deny" statement, nothing can override that.



                                  To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:



                                  • Don't deny anything, allow only what you want to allow, or

                                  • Deny everything except what you want to allow (in a single statement)

                                  To accomplish what you want



                                  The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:




                                  "Version": "2012-10-17",
                                  "Statement": [

                                  "Effect": "Allow",
                                  "Action": "ec2:Describe*",
                                  "Resource": "*"
                                  ,

                                  "Effect": "Allow",
                                  "Action": "*",
                                  "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"

                                  ]






                                  share|improve this answer

























                                    0












                                    0








                                    0







                                    Regarding hiding all instances but one from the user



                                    This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.



                                    Regarding trying to deny all, then override an allow



                                    The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".



                                    Policies work like this:



                                    1. The policy starts implicitly denying everything (this is implied deny)

                                    2. Any "Allow" statements override any implied denies (this is an explicit allow)

                                    3. Any "Deny" statements override all allows (this is an explicit deny)

                                    So once you have a "Deny" statement, nothing can override that.



                                    To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:



                                    • Don't deny anything, allow only what you want to allow, or

                                    • Deny everything except what you want to allow (in a single statement)

                                    To accomplish what you want



                                    The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:




                                    "Version": "2012-10-17",
                                    "Statement": [

                                    "Effect": "Allow",
                                    "Action": "ec2:Describe*",
                                    "Resource": "*"
                                    ,

                                    "Effect": "Allow",
                                    "Action": "*",
                                    "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"

                                    ]






                                    share|improve this answer













                                    Regarding hiding all instances but one from the user



                                    This cannot be done using IAM policies. The ec2:Describe* commands (including ec2:DescribeInstances) do not support resource-level permissions. So you can only allow or deny ec2:Describe* for everything (*). So your user can see all instances, or none.



                                    Regarding trying to deny all, then override an allow



                                    The order of the policy statements does not change the result of the policy. So don't try to write or interpret it "top down".



                                    Policies work like this:



                                    1. The policy starts implicitly denying everything (this is implied deny)

                                    2. Any "Allow" statements override any implied denies (this is an explicit allow)

                                    3. Any "Deny" statements override all allows (this is an explicit deny)

                                    So once you have a "Deny" statement, nothing can override that.



                                    To be able to "pigeon hole" an allow, like you're trying to do, you must do one of these:



                                    • Don't deny anything, allow only what you want to allow, or

                                    • Deny everything except what you want to allow (in a single statement)

                                    To accomplish what you want



                                    The closest you'll get is to allow your user to "see" everything, but operate only on the one EC2 instance. You'll need 2 statements:




                                    "Version": "2012-10-17",
                                    "Statement": [

                                    "Effect": "Allow",
                                    "Action": "ec2:Describe*",
                                    "Resource": "*"
                                    ,

                                    "Effect": "Allow",
                                    "Action": "*",
                                    "Resource": "arn:aws:ec2:us-east-1:1234567890123:instance/i-12345678"

                                    ]







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered Apr 16 at 13:19









                                    Matt HouserMatt Houser

                                    7,8241518




                                    7,8241518



























                                        draft saved

                                        draft discarded
















































                                        Thanks for contributing an answer to Server Fault!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid


                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.

                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function ()
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963055%2faws-iam-restrict-console-access-to-only-one-instance%23new-answer', 'question_page');

                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

                                        Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

                                        What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company