- 新しい順
- 投票が多い順
- コメントが多い順
Looks like you're missing
ec2:ModifyNetworkInterfaceAttribute
Here's the API documentation where you can see that it says "You can use this action to attach and detach security groups from an existing EC2 instance."
Hope this helps!
Thank you for reaching out on this. Yes, as echoed by Joe, you can use ec2:ModifyNetworkInterfaceAttribute to add existing Security groups to a Network Interface associated with an EC2 Instance However, this does not directly add Security groups to an EC2 Instance.
To add to an EC2 Instance directly, you would need to use ec2:ModifyInstanceAttribute. See API documentation
To allow users to change the security group that's associated with an instance, add the ec2:ModifyInstanceAttribute action to your policy.
To allow users to change security groups for a network interface, add the ec2:ModifyNetworkInterfaceAttribute action to your policy. Refer to documentation for more details [Amazon VPC policy examples](Manage security groups - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html#vpc-security-groups-iam)
Other important IAM permissions includes ec2:DescribeNetworkInterfaces, ec2:DescribeSecurityGroups, DescribeInstances
Sample IAM permissions (Please edit as per best practices considering least privilege)
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSecurityGroups",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeInstances",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
],
"Resource": "*"
}]
}
