AWS IAM: Restrict Console Access to only One Instance





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.



So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

Breakdown

1. First took all the permissions away

2. Added permission to only one instance



    {
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"condition": {}
}
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
"Condition": {
"condition": {}
}
}
]
}


This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.

AWS Console with no permission to any instance data



Don't the permissions work like that? Any help would be appreciated.










share|improve this question





























    1















    I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.



    So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

    Breakdown

    1. First took all the permissions away

    2. Added permission to only one instance



        {
    "Statement": [
    {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
    "condition": {}
    }
    },
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
    "Condition": {
    "condition": {}
    }
    }
    ]
    }


    This works for the 1st part only ie Denying to all Instances.
    The 2nd part doesn't seem to work.

    AWS Console with no permission to any instance data



    Don't the permissions work like that? Any help would be appreciated.










    share|improve this question

























      1












      1








      1








      I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.



      So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

      Breakdown

      1. First took all the permissions away

      2. Added permission to only one instance



          {
      "Statement": [
      {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
      "condition": {}
      }
      },
      {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
      "Condition": {
      "condition": {}
      }
      }
      ]
      }


      This works for the 1st part only ie Denying to all Instances.
      The 2nd part doesn't seem to work.

      AWS Console with no permission to any instance data



      Don't the permissions work like that? Any help would be appreciated.










      share|improve this question














      I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.



      So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

      Breakdown

      1. First took all the permissions away

      2. Added permission to only one instance



          {
      "Statement": [
      {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
      "condition": {}
      }
      },
      {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
      "Condition": {
      "condition": {}
      }
      }
      ]
      }


      This works for the 1st part only ie Denying to all Instances.
      The 2nd part doesn't seem to work.

      AWS Console with no permission to any instance data



      Don't the permissions work like that? Any help would be appreciated.







      amazon-web-services amazon-ec2 amazon-iam






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 1 hour ago









      ServerInsightsServerInsights

      1615




      1615






















          2 Answers
          2






          active

          oldest

          votes


















          2














          Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



          However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



          You may need at least ec2:DescribeInstances to get a basic half-broken list.



          If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



          I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



          Hope that helps :)






          share|improve this answer































            0














            You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



            This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



            See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information






            share|improve this answer
























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "2"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963055%2faws-iam-restrict-console-access-to-only-one-instance%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              2














              Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



              However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



              You may need at least ec2:DescribeInstances to get a basic half-broken list.



              If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



              I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



              Hope that helps :)






              share|improve this answer




























                2














                Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



                However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



                You may need at least ec2:DescribeInstances to get a basic half-broken list.



                If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



                I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



                Hope that helps :)






                share|improve this answer


























                  2












                  2








                  2







                  Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



                  However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



                  You may need at least ec2:DescribeInstances to get a basic half-broken list.



                  If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



                  I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



                  Hope that helps :)






                  share|improve this answer













                  Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.



                  However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.



                  You may need at least ec2:DescribeInstances to get a basic half-broken list.



                  If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.



                  I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.



                  Hope that helps :)







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 1 hour ago









                  MLuMLu

                  9,78722445




                  9,78722445

























                      0














                      You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



                      This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



                      See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information






                      share|improve this answer




























                        0














                        You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



                        This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



                        See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information






                        share|improve this answer


























                          0












                          0








                          0







                          You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



                          This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



                          See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information






                          share|improve this answer













                          You have to deny all, but in your condition, use ArnNotEquals "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef"



                          This will basically deny all other instance that does not have the same ARN as the instance that you want to be allowed.



                          See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN for more information







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered 1 hour ago









                          Sharuzzaman Ahmat RaslanSharuzzaman Ahmat Raslan

                          2631213




                          2631213






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Server Fault!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963055%2faws-iam-restrict-console-access-to-only-one-instance%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Masuk log Menu navigasi

                              Identifying “long and narrow” polygons in with PostGISlength and width of polygonWhy postgis st_overlaps reports Qgis' “avoid intersections” generated polygon as overlapping with others?Adjusting polygons to boundary and filling holesDrawing polygons with fixed area?How to remove spikes in Polygons with PostGISDeleting sliver polygons after difference operation in QGIS?Snapping boundaries in PostGISSplit polygon into parts adding attributes based on underlying polygon in QGISSplitting overlap between polygons and assign to nearest polygon using PostGIS?Expanding polygons and clipping at midpoint?Removing Intersection of Buffers in Same Layers

                              Старые Смолеговицы Содержание История | География | Демография | Достопримечательности | Примечания | НавигацияHGЯOLHGЯOL41 206 832 01641 606 406 141Административно-территориальное деление Ленинградской области«Переписная оброчная книга Водской пятины 1500 года», С. 793«Карта Ингерманландии: Ивангорода, Яма, Копорья, Нотеборга», по материалам 1676 г.«Генеральная карта провинции Ингерманландии» Э. Белинга и А. Андерсина, 1704 г., составлена по материалам 1678 г.«Географический чертёж над Ижорскою землей со своими городами» Адриана Шонбека 1705 г.Новая и достоверная всей Ингерманландии ланткарта. Грав. А. Ростовцев. СПб., 1727 г.Топографическая карта Санкт-Петербургской губернии. 5-и верстка. Шуберт. 1834 г.Описание Санкт-Петербургской губернии по уездам и станамСпецкарта западной части России Ф. Ф. Шуберта. 1844 г.Алфавитный список селений по уездам и станам С.-Петербургской губернииСписки населённых мест Российской Империи, составленные и издаваемые центральным статистическим комитетом министерства внутренних дел. XXXVII. Санкт-Петербургская губерния. По состоянию на 1862 год. СПб. 1864. С. 203Материалы по статистике народного хозяйства в С.-Петербургской губернии. Вып. IX. Частновладельческое хозяйство в Ямбургском уезде. СПб, 1888, С. 146, С. 2, 7, 54Положение о гербе муниципального образования Курское сельское поселениеСправочник истории административно-территориального деления Ленинградской области.Топографическая карта Ленинградской области, квадрат О-35-23-В (Хотыницы), 1930 г.АрхивированоАдминистративно-территориальное деление Ленинградской области. — Л., 1933, С. 27, 198АрхивированоАдминистративно-экономический справочник по Ленинградской области. — Л., 1936, с. 219АрхивированоАдминистративно-территориальное деление Ленинградской области. — Л., 1966, с. 175АрхивированоАдминистративно-территориальное деление Ленинградской области. — Лениздат, 1973, С. 180АрхивированоАдминистративно-территориальное деление Ленинградской области. — Лениздат, 1990, ISBN 5-289-00612-5, С. 38АрхивированоАдминистративно-территориальное деление Ленинградской области. — СПб., 2007, с. 60АрхивированоКоряков Юрий База данных «Этно-языковой состав населённых пунктов России». Ленинградская область.Административно-территориальное деление Ленинградской области. — СПб, 1997, ISBN 5-86153-055-6, С. 41АрхивированоКультовый комплекс Старые Смолеговицы // Электронная энциклопедия ЭрмитажаПроблемы выявления, изучения и сохранения культовых комплексов с каменными крестами: по материалам работ 2016-2017 гг. в Ленинградской области