18

I am trying to grant an IAM group the ability to edit our EC2 Security Groups, but I have been unable to get this working without granting access to everything in EC2.

I have tried several versions of this:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1392336685000", "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": [ "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:security-group/*" ] } ] }

But when I login with the IAM user, I get a message in the Security Group page saying "You are not authorized to perform this operation."

I do know that the user/group is working because if I select the IAM Policy Template for "Amazon EC2 Full Access", the user can access everything in EC2.

I obviously do not have a lot of experience with IAM, any help would be greatly appreciated.

Improve this question

6 Answers 6

Reset to default
16

For this to work, you need to explicitly ALLOW the following:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1392679134000", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeNetworkAcls", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": [ "*" ] } ] }

The above JSON policy basically stipulates that the user ONLY has access to the above. They will NOT have access to anything else. That includes ec2 instances, S3, IAM, cloudfront, etc.

Improve this answer
3
  • 1
    This Worked. Thank You. The user can see all the Instance data but can't start/stop/create, so that is close enough. Do you think there is a way to state exactly which Security Groups they can access, or do I need to leave it open to all Security Groups? Commented Feb 18, 2014 at 15:53
  • @DevMan14 so is there a way to state specific security groups? when i try an sec the resource like below it does not work and with this code, someone is able to use aws ec2 describe-security-groups and get a fair bit of information about every security group Commented May 6, 2015 at 1:32
  • 1
    If you are seeing EC2ResponseError: 403 Forbidden errors, shortly after setting up/ modifying your policy, note that it took a few minutes before my policy went into effect Commented Dec 21, 2016 at 19:30
14

If you want to limit editing to a single security group, I think that you need 2 statements, the following worked for me:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1413232782000", "Effect": "Allow", "Action": [ "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeNetworkAcls", "ec2:DescribeSecurityGroups" ], "Resource": [ "*" ] }, { "Sid": "Stmt1413232782001", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": [ "arn:aws:ec2:us-east-1:<accountid>:security-group/sg-<id>" ] } ] }

DescribeInstance may not be needed but in my case I wanted it, so haven't tested without it

Improve this answer
1
  • 1
    I was able to edit SG rules without the DescirbeInstance rules. E.g. the global * options only being set as: "ec2:DescribeNetworkAcls", "ec2:DescribeSecurityGroups" Commented Dec 21, 2016 at 19:23
3

The answer given by Scott Moore and selected as the correct answer at the time of writing does not solve the issue anymore. Not Scott's fault, AWS is frequently changing many things.

We had followed an AWS document and created a custom policy which had been working just fine since the last 1.5 years or so and suddenly today morning our clients started facing issues in editing the Security Groups and so I stumbled upon this thread in order to try possible solutions.

I eventually ended up creating a custom policy from scratch as it seems something critical has been just deprecated from AWS IAM policy side today morning; so the policy that works at the time of writing for me is :-

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:ModifySecurityGroupRules" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress" ], "Resource": "arn:aws:ec2:*:*:security-group/*" } ] }

This :-

  • Allows to edit/delete existing rules inside the existing Security Groups.
  • Allows to create new rules inside the existing Security Groups.
  • Does not allow to create a new security-group or delete an existing security-group.

The question never focused on allowing to create new security groups or delete existing security groups and so that has not been added in the policy but can be added by the reader if their requirement demands for it.

Improve this answer
0
1

Looks like your security group is perhaps being used by an instance or some other EC2 resource. Can you try:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1392336685000", "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": [ "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:instance/*", "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:security-group/*" ] } ] }
Improve this answer
1
  • Thank you for the answer but that did not work. Yes, the security groups are being used by multiple instances - does it matter that they are "EC2 Security Groups" and not "VPC Security Groups" ? - OR maybe I am doing something else wrong because this doesn't allow the user to see the Instances either, which I half expected it to do. Commented Feb 14, 2014 at 14:06
1

I was looking for an answer for a question that @nsij22 asked in the accepted answer's comments. Unfortunately, looks like that is not possible. According to IAM Policy Simulator, only the following actions from @DevMan14's answer can be used with specific resources:

  • DeleteSecurityGroup
  • AuthorizeSecurityGroupEgress
  • AuthorizeSecurityGroupIngress
  • RevokeSecurityGroupEgress
  • RevokeSecurityGroupIngress

For everything else, IAM Policy Simulator says:

This action does not support resource-level permissions. Policies granting access must specify "*" in the resource element.

It looks like this:

screenshot.

All "allowed" and "denied" are same, so I collapsed them.

Improve this answer
0

You should define the below permissions under the policy assigned to the IAM. this will restrict the user access to ONLY change the INBOUND/OTBOUND rules for a SPECIFIC security group. (Make sure to change the text in bold with your own data.)

{ "Version": "2012-10-17", "Statement": [ { "Sid": "A_R00101", "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules" ], "Resource": [ "*" ] }, { "Sid": "A_R00102", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": [ "arn:aws:ec2:**<Region_ID>**:**<Security_Group_Owner>**:security-group/**<Security group ID>**" ] } ] }
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.