IAM Policy for EC2 Read-Only (Describe) Access

EC2 Describe-Only Policy

For monitoring tools, dashboards, cost analysis scripts, and audit applications, you often need read-only visibility into EC2 resources without the ability to launch, modify, or terminate instances.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEC2DescribeAll",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeVolumes",
        "ec2:DescribeImages",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeAddresses"
      ],
      "Resource": "*"
    }
  ]
}

Why Resource Is "*"

EC2 Describe actions are list-type operations that cannot be restricted to specific resources in the Resource element. AWS evaluates Describe calls against all resources in the account. To filter what a user can see, use tag-based conditions:

"Condition": {
  "StringEquals": {
    "ec2:ResourceTag/Environment": "production"
  }
}

Common Additions

• ec2:DescribeRegions and ec2:DescribeAvailabilityZones for multi-region tools.
• elasticloadbalancing:DescribeLoadBalancers if you also need ELB visibility.
• autoscaling:DescribeAutoScalingGroups for auto-scaling group information.

Note that each additional service requires its own Action prefix — EC2 Describe permissions do not extend to ELB or Auto Scaling.