Why does applying a condition to ec2:DescribeInstances in an IAM policy fail?

Question 1

When trying to configure which instances can be listed using policies, I remark the following issue:

When the condition is not implemented, all instances are visible.
When any condition is implemented, nothing is visible.

The example policy with condition is included:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1461235889000",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": "r3.xlarge"
                }
            }
        }
    ]
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Stmt1461235889000",

"Effect": "Allow",

"Action": [

"ec2:DescribeInstances"

],

"Resource": [

"*"

],

"Condition": {

"StringEquals": {

"ec2:InstanceType": "r3.xlarge"

}

]

}

What is wrong here?

Question 2

The ec2:DescribeInstances action does not support resource-level permissions or applying conditions.

From the linked documentation above:

…to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement. You cannot use Amazon EC2 condition keys for these actions.

So your usage of the * wildcard without a condition is valid, but applying any condition (as of this writing) will unfortunately not work as expected.

Further Reading:

Supported Resource-Level Permissions for Amazon EC2 API Actions

Why does applying a condition to ec2:DescribeInstances in an IAM policy fail?

Question:

Answer:

Leave a Reply Cancel reply