Skip to content

Blocking EC2: Describe* Actions via an SCP

  • by

To block the ec2:Describe* action for a specific IAM role, you can create and attach a Service Control Policy (SCP) to an AWS account, Organizational Unit (OU), or the root of your AWS Organization. This helps you to limit permissions to ec2:describe actions for a specific role. This specifically helpful when you don’t want someone to access or see the list of EC2 instances.

Example SCP for Blocking ec2:Describe*

The following SCP uses the Deny effect to override any permissions that might otherwise allow the ec2:DescribeRegions action. It uses a Condition to ensure this restriction only applies to a specified IAM role.

JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2DescribeActionsForSpecificRole",
      "Effect": "Deny",
      "Action": "ec2:Describe*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalARN": "arn:aws:iam::*:role/Your-Role-Name"
        }
      }
    }
  ]
}
  • Effect: "Deny": This is the most crucial part. It explicitly blocks the specified action and takes precedence over any Allow statements.
  • Action: "ec2:DescribeRegions": This targets the specific API call you want to restrict.
  • Condition: This section is used to scope the policy.
    • aws:PrincipalARN: This condition key matches the Amazon Resource Name (ARN) of the principal (in this case, an IAM role) performing the action.
    • "arn:aws:iam::*:role/Your-Role-Name": This value, with the StringLike operator, ensures the policy applies to the exact role you specify across all accounts in your organization. Be sure to replace Your-Role-Name with the actual name of your IAM role. The wildcard * for the account ID allows the policy to be reusable across multiple accounts within your organization.

How to Apply the SCP

  1. Navigate to AWS Organizations: Log in to your AWS management account and go to the AWS Organizations console.
  2. Create the SCP: In the Policies section, select Service control policies and click Create policy. Copy and paste the JSON policy above, remembering to replace Your-Role-Name.
  3. Attach the SCP: Choose the appropriate target for your policy. You can attach it to:
    • The root: This applies the policy to all accounts in your organization.
    • An Organizational Unit (OU): This applies the policy to all accounts within that specific OU.
    • A specific account: This applies the policy to only one account.

Once attached, the specified IAM role will be unable to run the ec2:DescribeRegions command, helping to enforce tighter security controls. 🔐

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *