Amazon Web Services - How do I use IAM to restrict a single user to managing a single EC2 instance?

I would like to:

  1. Create an IAM user
  2. Restrict that user to be able to have full management over a single EC2 Instance only.

Example: While the AWS EC2 account has 10 instances, the new user, UserA, can start or stop InstanceA but can do nothing else on the account (No launching of instances, no messing with volumes, etc).

Is there a simple method for giving a single user full access to a single resource like this, but no access to anything else?


Actually, EC2 Instances do have a ARN. Every resource within EC2 has a ARN. An example of an instance ARN is as follows:

arn:aws:ec2:region:account:instance/instance-id

You can give a specific user access to a specific instance ID. You can include Actions the user is allowed to run.

See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#ec2-supported-iam-actions-resources for resources and actions, as well as conditions.


EC2 instances do not have a "Amazon Resource Name" (ARN) so you are not able to write a IAM policy to allow a user access to a single instance.

If I can suggest another approach. The easiest way to handle this type of request is probably by giving the user SSH access to the instance and allowing them to sudo the commands you want them to be able to do such as reboot.

EDITED: Forgot to mention there is a nice AWS Policy Generator tool online which is very helpful. http://awspolicygen.s3.amazonaws.com/policygen.html

EDIT: This is now possible. http://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/Resource-level-Permissions-for-EC2-Controlling-Management-Access-on-Specific-Ins