Não pode ser feito. O suporte da Amazon respondeu isso:
Unfortunately there isn't a way to only see certain instance(based on ec2-tag, vpc id etc). The "ec2:Describe*" API actions does not support any conditions or resource level ARNs.However you can have a policy wherein all the IAM Group will be able to see all the instances, but will only be able to perform actions like start, stop,reboot and terminate instances on instances with a specific tag