Limiting AWS access rights for DescribeInstances to specific instances instead of *

[Wlkus]

We have different EC2 instances for multiple projects in the AWS account and allowing Basti to have access to * with ec2:DescribeInstances doesn't seem to be right from security perspective - but maybe I am wrong? Is there any guide to allow it selectively only to instances which Basti really uses?

As described here
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
},

If I limit resource instead of the asterisk only to exact t3.micro instance running basti in aws, then it ends up with "Error checking target state. Access denied by IAM"
Using * of course works, but I assume then this allows access for DescribeInstances function to all the EC2 machines on the same account?

[BohdanPetryshyn]

Hi @Wlkus, thank you for your question! When developing Basti, I always try to make IAM statements as restrictive as possible. Unfortunately, in the case of ec2:DescribeInstances, resource-level restrictions are not supported by AWS (docs).