how to show specific ec2 instance for an user

Question

I have some aws ec2 instances and would like to show ONLY one instance for partners.

I created IAM user for the partner. following is my policy I created. But when partner logins to aws and see ec2 instance view, following message displayed and no instance is displayed.

An error occurred fetching instance data: You are not authorized to perform this operation.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:*"
      ],
      "Sid": "Stmt1373378552000",
      "Resource": [
        "arn:aws:ec2:ap-northeast-1:123456789012:instance/i-12345678"
      ],
      "Effect": "Allow"
    }
  ]
}

(123456789012 is (dummy)my Account Id and i-12345678 is a instance I like to show)

I also tried to specify by tag name like following, but does not work..

"Condition": {
        "StringEquals": {
          "ec2:ResourceTag/Name": "node-B"
        }
      },

Does anyone know how to show specific ec2 instance for partners??

Answer 1

This is not currently supported.

Only selected Amazon EC2 API actions currently support resource-level permissions:

• Describe calls do not support resource-level permissions
• Start/Stop/Terminate (and others) are supported

The AWS Management Console is using a DescribeInstances call, which cannot be restricted to a specific resource. Hence, the error you received.

See also:

• Supported Resource-Level Permissions for Amazon EC2 API Actions