Reputation: 11
Amazon EC2 IAM Policy: Restrict to modifying single security group
I am trying to create an IAM Policy in Amazon AWS which will allow access to view or edit/modify a single security group. I have followed the AWS documentation, but am unsuccessfully able to make this policy work. The policy created is below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt123456789123",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-east-1:000000000000:security-group/sg-a123a1a1"
]
}
]
}
Yes, I do realize that I have a redundant action, but I noticed you are able to specify Describe Security Group, but no option for Modify; therefore "*" was my only option; Thankfully, the resource should allow me to restrict this action to a single security group.
Upvotes: 1
Views: 4501
Answers (3)
Reputation: 890
Here is what I managed to put together and it works great!
Create the following policy and add it to a User Group or make one:
Update the items that are in {BRACKETS}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup"
],
"Resource": "arn:aws:{REGION}:{ACCOUNT_NUMBER}:security-group/{NSG-ID}",
"Condition": {
"ArnEquals": {
"ec2:Vpc": "arn:aws:ec2:{REGION}:{ACCOUNT_NUMBER}:vpc/{VPC-ID}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeStaleSecurityGroups"
],
"Resource": "*"
}
]
}
Well, it looks like the code formatter is not working right with this, but you can read the references here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_securitygroups-vpc.html
Thanks!
Upvotes: 0
Reputation: 328
It is partly possible, please see https://serverfault.com/questions/575487/use-iam-to-allow-user-to-edit-aws-ec2-security-groups, it's actually possible to constrain editing to just one group, but I didn't get listing of just one group to work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1413232782000",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeNetworkAcls",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1413232782001",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:us-east-1:<accountid>:security-group/sg-<id>"
]
}
]
}
Upvotes: 3
Reputation: 2294
You can add new rule to security group like
aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 3389 --cidr 203.0.113.0/24
And also change the tags as well.
Upvotes: -3
Related Questions
- IAM policy to allow EC2 instance API access only to modify itself
- IAM Policy to only allowing viewing and editing EC2 instances by group
- AWS Permissions to allow a specific user to Modify a specific Security Group
- AWS IAM policy for security group not working
- AWS: IAM Policy to Add User To specific Group
- Restrict assumption of AWS IAM Role to a specific Group
- AWS IAM Roles: Policy with permissions only over the instance itself and not every resource
- How to set policy for IAM user group?
- IAM- Switch role for AWS access and policies limit
- AWS Policy Restrict Permission Based On Service