By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to create a policy that shows only an especific security group

0

Hello, i want to create a IAM policy that the user cans only modify outbound/inbound rules of an specific security group, I followed the steps of the documentation, but this policy permit modify all the security groups.

I used the documentation: https://docs.aws.amazon.com/es_es/IAM/latest/UserGuide/reference_policies_examples_ec2_securitygroups-vpc.html

policy:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeTags" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:ModifySecurityGroupRules", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group/" ], "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Test" } } },
{ "Effect": "Allow", "Action": [ "ec2:ModifySecurityGroupRules" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group-rule/*" ] } ] }

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
IAM PoliciesSecurity Group
Language
English
rePost-User-6114547
asked a year ago238 views
1 Answer
-1

The second Allow is not required IMO

{ "Effect": "Allow", "Action": [ "ec2:ModifySecurityGroupRules" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group-rule/*" ] } ] }

Just use .. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeTags" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:ModifySecurityGroupRules", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group/" ], "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Test" } } },

AWS
Nirmal Rajan
answered a year ago
  • rePost-User-6114547
    a year ago

    I aplied your sugestion but the problem is still persist { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:ModifySecurityGroupRules", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:us-east-1:112345678433:security-group/" ], "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Test" } } } ] }

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content