How to add identity based policy for Error: "no identity-based policy allows the ec2:AuthorizeSecurityGroupIngress action"

Hi,

The error message indicates that the IAM role you're using (e.g., MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf) does not have the necessary permissions to perform the ec2:AuthorizeSecurityGroupIngress action. To resolve this, you need to ensure that the IAM role associated with your AWS CloudFormation stack has the correct permissions.

You need to check and ensure you have attached an IAM policy to the role MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf that grants permission for ec2:AuthorizeSecurityGroupIngress.

For example if you do not have a policy,

aws iam create-policy --policy-name AllowAuthorizeSecurityGroupIngress --policy-document '{ "Version": "2024-08-19", "Statement": [ { "Effect": "Allow", "Action": "ec2:AuthorizeSecurityGroupIngress", "Resource": "arn:aws:ec2:us-east-1:<account number>:security-group/sg-123412341234" } ] }'

Attach the poicy to the role MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf

aws iam attach-role-policy --role-name MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf --policy-arn arn:aws:iam::<account number>:policy/AllowAuthorizeSecurityGroupIngress

Make sure your CDK application is configured to use a role with the necessary permission to create and modify security group. for example:

Assuming you have a role in your stack, it will looks like:

const myRole = iam.Role.fromRoleArn(this, 'MyRole', 'arn:aws:iam::<account number>:role/MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf'); myRole.addToPolicy(new iam.PolicyStatement({ actions: ['ec2:AuthorizeSecurityGroupIngress'], resources: ['arn:aws:ec2:us-east-1:<account number>:security-group/sg-123412341234'],

See if this works. The structure of role, trust, and permissions is designed to provide a secure way to manage authorized access to your AWS resources. This nested role or structure defines what actions the role can perform once assumed.