By using AWS re:Post, you agree to the Terms of Use
/IAM role needed to assign a security group to a running EC2 instance/

IAM role needed to assign a security group to a running EC2 instance

0

What is the proper IAM role required to assign an existing security group to a running EC2 instance? My current permissions are:

AuthorizeSecurityGroupEgress
AuthorizeSecurityGroupIngress
RevokeSecurityGroupEgress
RevokeSecurityGroupIngress
UpdateSecurityGroupRuleDescriptionsEgress
UpdateSecurityGroupRuleDescriptionsIngress
2 Answers
3

Looks like you're missing ec2:ModifyNetworkInterfaceAttribute

Here's the API documentation where you can see that it says "You can use this action to attach and detach security groups from an existing EC2 instance."

Hope this helps!

answered a month ago
EXPERT
reviewed a month ago
1

Thank you for reaching out on this. Yes, as echoed by Joe, you can use ec2:ModifyNetworkInterfaceAttribute to add existing Security groups to a Network Interface associated with an EC2 Instance However, this does not directly add Security groups to an EC2 Instance.

To add to an EC2 Instance directly, you would need to use ec2:ModifyInstanceAttribute. See API documentation

To allow users to change the security group that's associated with an instance, add the ec2:ModifyInstanceAttribute action to your policy.

To allow users to change security groups for a network interface, add the ec2:ModifyNetworkInterfaceAttribute action to your policy.

Refer to documentation for more details [Amazon VPC policy examples](Manage security groups - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html#vpc-security-groups-iam)

Other important IAM permissions includes ec2:DescribeNetworkInterfaces, ec2:DescribeSecurityGroups, DescribeInstances

Sample IAM permissions (Please edit as per best practices considering least privilege)

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"ec2:DescribeNetworkInterfaceAttribute",
			"ec2:DescribeNetworkInterfaces",
			"ec2:ModifyInstanceAttribute",
			"ec2:DescribeSecurityGroups",
			"ec2:ModifyNetworkInterfaceAttribute",
			"ec2:DescribeInstances",
			"ec2:AuthorizeSecurityGroupEgress",
			"ec2:AuthorizeSecurityGroupIngress",
			"ec2:RevokeSecurityGroupEgress",
			"ec2:RevokeSecurityGroupIngress",
			"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
			"ec2:UpdateSecurityGroupRuleDescriptionsIngress"

		],
		"Resource": "*"
	}]
}
answered a month ago
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions