We have a few users which basically have access to everything using the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Is there a way to restrict access to selected VPCs?

I have tried creating the following policy and attach it to the user (via a group):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1504660000000",
            "Effect": "Deny",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>"
            ]
        }
    ]
}

I have replaced <REGION> <ACCOUNT-ID> and <VPC-ID>".

The policy simulator denies access (StartInstances, StopInstances, etc.) correctly. Nevertheless a user with this policy attached can still create EC2 instances within the vpc.

1. Why does my policy not deny access to the VPC? As far as I know "Deny" overwrites "Allow".

2. What is the correct way of achieving this? I have read through this and this but don't understand how it would restrict access.

It's a tricky one. You have to refer and include all actions including recources which supports the ec2:Vpc condition and deny the API actions. For other actions, you have to find conditions which are common in API actions and include those actions in separate statement blocks and deny those by other means e.g. using tags or something else.

Also, as the users have AdministratorAccess, you have to make sure that the user's cannot detach this Deny policy and escalate the privilege.

For other service which uses VPC e.g. RDS, it is not possible.

[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html

Here, you don`t want to give the permission to ec2 inside one VPC. So, you should consider vpc as a condition and resource as ec2.

Look at the code below -

{
  "Effect": "Deny",
  "Action": "ec2:*",
  "Resource": "arn:aws:ec2:region:account:subnet/*",
    "Condition": {
     "StringEquals": {
        "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
        }
   }
}

Explanation - Here we are denying the permissions to ec2 which are under a specific vpc. Here I have added subnet in ec2, it is optional. You may add if required.