问题
I have created a policy for restricting access of a user to a single instance as:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1392113879000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-east-1:account:instance/instance_id"
]
}
]
}
But I am getting this error:
You are not authorized to describe Running Instances
You are not authorized to describe Elastic IPs
You are not authorized to describe Volumes
You are not authorized to describe Snapshots
You are not authorized to describe Key Pairs
You are not authorized to describe Load Balancers
You are not authorized to describe Placement Groups
You are not authorized to describe Security Groups
I cant see the instance in the console. If i cant implement this thing then what is the use of policies!!
Im stuck please help
回答1:
from iam-policies-for-amazon-ec2
Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional Amazon EC2 resources later. For information about which ARNs you can use with which Amazon EC2 API actions, as well as supported condition keys for each ARN, see Supported Resources and Conditions for Amazon EC2 API Actions.
So, wiritng ec2:* is not going to help you. Instead, you should provide exact API actions that you wish to grant to this user.
Also, quoting from the same link referred above:
To specify all resources, or if a specific API action does not support ARNs, use the * wildcard in the Resource element as follows:
Assigning restrictive EC2 IAM polices is a bit complicated. You may want to read above referred link in detail as well as this link.
回答2:
Check your region. Your policy uses US-East-1, but where are your instances? US-West-2?
来源:https://stackoverflow.com/questions/21720853/cant-see-instance-when-apply-a-custom-policy-in-iam-in-aws