How to allow AWS user to see but not launch, start or stop instances

Question

I have set a policy for an AWS user as such:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect":"Allow",
         "Action": "ec2:Describe*",
         "Resource":"*"
      }
   ]
}

The intent was to allow a user with this policy to view EC2 instances on the console, but not to actually do anything with them. The problem is, once this policy is applied, the user can start, stop, terminate and launch new instances even though none of those permissions are addressed in the above policy, AFAIK.

Why is this happening with the above policy, and what can I do to prevent it (i.e. achieve the "view but not touch" result I'm after)?

Answer 1

Amazon IAM policies are Deny by default, which is not identical to Explicit Deny, see The Difference Between Denying by Default and Explicit Deny for details.

Accordingly, the observed behavior wouldn't be possible by default, so there must be another policy in place for this user explicitly granting the undesired actions like ec2:RunInstances. You have the following options to remedy this:

Identify/Remove Explicit Allow

You can analyze which policy grants the undesired actions by means of the excellent new AWS Identity and Access Management Policy Simulator, which is utterly helpful for issues like this.

Add Explicit Deny

You can add an explicit deny for those actions the user shouldn't be able to perform , e.g.:

{
  "Statement": [
    {
      "Action": [
        "ec2:RebootInstances",
        "ec2:RunInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Effect": "Deny",
      "Resource": "*"
    }
  ]
}

Please note that the latter would still allow quite some other EC2 actions that you might not want, so a more complete approach to explicitly deny all but the desired ones would be to facilitate the NotAction:

The NotAction element lets you specify an exception to a list of actions. For example, you can use NotAction to let users use only the Amazon SQS SendMessage action, without having to list all the actions that the user is not allowed to perform. Using NotAction can sometimes result in shorter policies than using an Action element and listing many actions.

• Warning: Please be aware that it is easy to restrict more than you intend and even lock yourself out when using NotAction for an explicit Deny - always make sure the Resource statement is only targeting the desired resources. For example, simply using the common wildcard * instead of a more specific resource selector like arn:aws:ec2:*:*:* boils down to 'deny all but these actions for every service' - for the example at hand this would include the ability to delete the erroneous policy again! This is best avoided by carefully simulating the policy upfront.

A resp. policy might look like this:

{
  "Statement": [
    {
      "NotAction": [
        "ec2:Describe*"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:ec2:*:*:*"
    }
  ]
}

Answer 2

For user3086014, create a policy similar to the one below:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect":"Allow",
         "Action": [
             "ec2:DescribeInstances",
             "ec2:StartInstances",
             "ec2:StopInstances",
             "ec2:RebootInstances"
         ],
         "Resource":[
            "arn:aws:ec2:us-west-1:0123456789012:instance/i-ffffffff"
         ]
      }
   ]
}

Change the actions to the ones you want to allow your user to perform. Change the resource to identify your instance - i.e. change the account ID (I've written 0123456789012 above) and the instance ID (I've written i-ffffffff above). Then apply that policy to your user. If you want to allow use of two instances, add a second ARN with a comma-delimiter between the ARNs (as is required JSON form).

Please next time make a separate question. It's awkward having questions-answers in the comments themselves. Thanks!