AWS + serverless - (InvalidPermission.NotFound) The specified rule does not exist in this security group

Question

I created a small script to interact with AWS, updating Security Groups and EC2 instances. This script is working fine on my machine, but I am having trouble when testing it on the AWS lambda console.

I am using serverless to deploy a lambda function to Amazon web services. I also create a IAM role for this new lambda function.

The error I am experiencing is an (InvalidPermission.NotFound) error. The complete error stack is presented below.

Error:

 An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.: ClientError
Traceback (most recent call last):
  File "/var/task/ipm.py", line 205, in handler
    main()
  File "/var/task/ipm.py", line 197, in main
    sg_ips_remove(to_remove, state_sg, state_ping)
  File "/var/task/ipm.py", line 140, in sg_ips_remove
    update_security_group("revoke", sg_id, sg_ips, state_ping)      # run script to authorize/revoke ip access
  File "/var/task/ipm.py", line 53, in update_security_group
    sg.update_sg_traffic(sg_rules=obj, sg_id=group_id, update_type=update_type)
  File "/var/task/sg.py", line 77, in update_sg_traffic
    ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
  File "/var/task/botocore/client.py", line 320, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/task/botocore/client.py", line 623, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.

This error occurs on the following piece of code. Once again, this code works fine on my machine, but raises the error during the lambda function testing.

def update_sg_traffic(sg_id, sg_rules, update_type="authorize"):
    """ Update the inbound traffic associated to a SG. It is possible to add or remove IPs from the SG.
"""

    assert update_type in ["authorize", "revoke"]
    ec2 = boto3.client('ec2')
    if update_type == "authorize":
        ec2.authorize_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
    else:
        ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)

I find this error strange, because it is complaining about the rule RevokeSecurityGroupIngress, which I have added to the IAM role specified on the serverless.yaml file, which is presented below.

service: ${self:custom.resourcePrefix}-pingdom-updater

custom:
  resourcePrefix: ${self:provider.stage}use1

provider:
  stage: ${opt:stage, 's'}
  name: aws
  runtime: python3.6
  memorySize: 128
  iamRoleStatements:
    - Effect: Allow
      Action:
        - ec2:AuthorizeSecurityGroupEgress
        - ec2:AuthorizeSecurityGroupIngress
        - ec2:CreateSecurityGroup
        - ec2:DeleteSecurityGroup
        - ec2:DescribeInstanceAttribute
        - ec2:DescribeInstanceStatus
        - ec2:DescribeInstances
        - ec2:DescribeNetworkAcls
        - ec2:DescribeSecurityGroups
        - ec2:RevokeSecurityGroupEgress
        - ec2:RevokeSecurityGroupIngress
      Resource: "*"

functions:
  pingdomUpdater:
    handler: ipm.handler
    events:
      - schedule:
          name: ${self:service}-schedule
          description: ""
          rate: rate(1 day)

plugins:
  - serverless-python-requirements

serverless.yaml

Does anyone know why I am experiencing this error? I appreciate any help I can get. Thank you.

Answer 1

You are confusing IAM Roles with VPC Security Groups.

The error that you are receiving means that the security group rule does not exist for the specified security group. This has nothing to do with IAM Roles.

If your goal is to add / remove permissions from IAM Roles, then you will need to rewrite your code to deal with IAM Policies.