I am trying to restrict users to a single VPC. I went through Controlling Access to Amazon VPC Resources and came up with the following policy but it does not work. Can someone point out the errors in it?

I should mention that IAM Policy Simulator seems to think the policy is fine after I set the VPC ARN under condition keys in simulation settings.

(I have replaced the region, account and vpc-id with actual values in my policy.)

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-id"
Steffen Opel
  • 5,560
  • 35
  • 55
Satie Sharma
  • 53
  • 1
  • 1
  • 4

3 Answers3


You most likely need to recompose your IAM Policy along the lines of Example 5. Launching instances into a specific VPC within Controlling Access to Amazon VPC Resources:

   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:region:account:subnet/*",
        "Condition": {
         "StringEquals": {
            "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"

That is, the available resources (and their granularity) are specific to each API action, so for the example at hand RunInstances applies to EC2 resources in a specific subnet, and that in turn is part of a VPC; accordingly you need to target the subnets but can further constrain the set of possible subnets by means of their ec2:Vpc attribute via IAM Policy Conditions as outlined above.

Steffen Opel
  • 5,560
  • 35
  • 55

There are certain permissions that cant be applied to a specific resource. These permissions will show an error when you check the policy in IAM.

In order to restrict a user to a specific VPC and allow all EC2 actions, the following policy can help you in achieving that:

"Version": "2012-10-17",
"Statement": [
        "Sid": "NonResourceBasedReadOnlyPermissions",
        "Action": [
        "Effect": "Allow",
        "Resource": "*"
        "Sid": "IAMPassroleToInstance",
        "Action": [
        "Effect": "Allow",
        "Resource": "arn:aws:iam::123456789012:role/VPCLockDown"
        "Sid": "AllowInstanceActions",
        "Effect": "Allow",
        "Action": [
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
        "Sid": "EC2RunInstances",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
        "Sid": "EC2RunInstancesSubnet",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:subnet/*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
        "Sid": "RemainingRunInstancePermissions",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": [
        "Sid": "EC2VpcNonresourceSpecificActions",
        "Effect": "Allow",
        "Action": [
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"

In order to understand in detail what each statements are doing, I would recommend reading this blog from AWS. This policy, allows the user to:

  • Sign in to the AWS Management Console and go to the Amazon EC2 console.
  • Launch an EC2 instance as long as they:

    Specify a subnet in the proper VPC. Specify the allowed instance profiles.

  • Start/stop/reboot/terminate/attach volume/detach volume on an instance as long as they:

    Specify an instance launched with the proper instance profiles.

  • Delete security groups, routes, route tables, network ACLs, and ACL entries as well as authorize and revoke security group ingress and egress rules, as long as they are in the proper VPC.
  • 101
  • 3

You cannot actually do that based on a VPC. AWS does not support EC2-Describe* API actions on resource level permissions. Instead you can apply something similar based on a single VPC on a security group as shown below:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
            "Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/*",
            "Condition": {
                "ArnEquals": {
                    "ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPCID"

You can change the EC2 actions depending on your needs.

  • 97,248
  • 13
  • 177
  • 225
  • 1
  • 1