Why does applying a condition to ec2:DescribeInstances in an IAM policy fail?


When trying to configure which instances can be listed using policies, I remark the following issue:

  • When the condition is not implemented, all instances are visible.
  • When any condition is implemented, nothing is visible.

The example policy with condition is included:

What is wrong here?


The ec2:DescribeInstances action does not support resource-level permissions or applying conditions.

From the linked documentation above:

…to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement. You cannot use Amazon EC2 condition keys for these actions.

So your usage of the * wildcard without a condition is valid, but applying any condition (as of this writing) will unfortunately not work as expected.

Further Reading:

Leave a Reply