Restrict the visibility of EC2 instances using IAM accounts
Solution 1:
If your user's resources don't need to inter-operate, then a different option is to use multiple separate AWS accounts, then set up consolidated billing so that bills for all accounts are put together on one bill.
Each of your users would have their own AWS account. They would see only the resources in their own account.
Solution 2:
Unfortunately AWS Identity and Access Management (IAM) doesn't fully cover this particular aspect as of today, because the recently introduced Resource-Level Permissions for EC2 and RDS Resources are not yet available for all API actions, see this note from Amazon Resource Names for Amazon EC2:
Important Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional Amazon EC2 resources later. For information about which ARNs you can use with which Amazon EC2 API actions, as well as supported condition keys for each ARN, see Supported Resources and Conditions for Amazon EC2 API Actions.
You will find that all ec2:Describe*
actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing.
See also Granting IAM Users Required Permissions for Amazon EC2 Resources for a concise summary of the above and details on the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular Amazon EC2 resources - this page also mentions that AWS will add support for additional actions, ARNs, and condition keys in 2014.