I want AWS IAM USERS not to see each other services

Question

I have the following Json Code

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*",
            "Condition": {
                "StringEqualsIfExists": {
                    "ec2:ResourceTag/CreatedBy": "${aws:username}"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": "ec2:DescribeInstances",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringNotEqualsIfExists": {
                    "ec2:ResourceTag/CreatedBy": "${aws:username}"
                }
            }
        }
    ]
}

In the above code is I am viewing all the instances launched by other IAM users

I want to allow an IAM user to only view EC2 instances that they've launched while denying the ability to view instances launched by other IAM users.

is this possible ? can anyone help in altering this code ?

Answer 1

According to Actions, resources, and condition keys for Amazon EC2 - Service Authorization Reference the DescribeInstances API call only accepts ec2:Region as a Condition key.

Therefore, if a user has permission to call DescribeInstances then they will see all EC2 instances. It is not possible to limit the response based on a tag or a property of the instance.

You would need to build your own method for returning a 'limited' set of responses. For example, they could call an AWS Lambda function that returns the list based on your own coded logic.