Issue
My developer has created an EC2 instance on AWS and I want to be able to access it via my own dashboard.
What I did is:
- As a root user, I created an IAM account for me and him and assigned us both to a group named PowerUsers
- I created an Organizational Unit and added his account to it
When he goes to his EC2 dashboard, he sees his created instances. But when I go to my EC2 dashboard, I see nothing. We both selected the correct region.
I hope someone can help us out here, I can't seem to get any wiser from the AWS documentation.
Solution
tl;dr there is a difference between visual access and technical access. Technical is possible, via IAM roles and permissions, etc. Visual access is not possible, not in the AWS console from a different account.
Generally you do not see resources from other accounts that you have access to. That is simply not how AWS / IAM or basically any complex permission system works.
Same thing for S3 buckets, you cannot see S3 buckets you have access to in your S3 console, not those that are public to everyone and not those that you have explicitly been granted permission to. You only ever see the buckets that you / your account actually own(s).
The reason for that from a technical perspective is really simple: AWS simply does not know which buckets / EC2 instance you can access. It knows your permissions and if you want to access a specific resource AWS can check if the permissions let you access it but not the other way around.
IAM has permission that can grant permissions based on IP, time of day, VPC, etc. That makes it impossible and not really meaningful to display what you can access now because in 10 second or from a different network it might be that you cannot see it at all.
Let me tell you from personal experience and currently building one myself: If you build a permission system it is built to answer "can I do X" but listing all X is a VERY different story, IAM cannot answer it and I have not come across a permission system that can answer it while at the same time having a complex permission structure AND being efficient. Seems like you cannot have efficiency, complexity and reverse lookup / list at the same time.
Note that you still have access to the resource. E.g. when manipulating the browser URL to directly access the resource you can view it even though you are not logged into the owning account but at that point you are asking "can I do X" (X = "view resource") and that can be easily answered. You only cannot list the resources.
Second note: some of the listed resources you see and that your account owns you still cannot access because there might be an explicit IAM Deny
policy for your current role in place that only takes effect when interacting with the resource.
Answered By - luk2302