IAM role needed to assign a security group to a running EC2 instance

Looks like you're missing ec2:ModifyNetworkInterfaceAttribute

Here's the API documentation where you can see that it says "You can use this action to attach and detach security groups from an existing EC2 instance."

Hope this helps!

Thank you for reaching out on this. Yes, as echoed by Joe, you can use ec2:ModifyNetworkInterfaceAttribute to add existing Security groups to a Network Interface associated with an EC2 Instance However, this does not directly add Security groups to an EC2 Instance.

To add to an EC2 Instance directly, you would need to use ec2:ModifyInstanceAttribute. See API documentation

To allow users to change the security group that's associated with an instance, add the ec2:ModifyInstanceAttribute action to your policy.

To allow users to change security groups for a network interface, add the ec2:ModifyNetworkInterfaceAttribute action to your policy. Refer to documentation for more details [Amazon VPC policy examples](Manage security groups - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html#vpc-security-groups-iam)

Other important IAM permissions includes ec2:DescribeNetworkInterfaces, ec2:DescribeSecurityGroups, DescribeInstances

Sample IAM permissions (Please edit as per best practices considering least privilege)

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"ec2:DescribeNetworkInterfaceAttribute",
			"ec2:DescribeNetworkInterfaces",
			"ec2:ModifyInstanceAttribute",
			"ec2:DescribeSecurityGroups",
			"ec2:ModifyNetworkInterfaceAttribute",
			"ec2:DescribeInstances",
			"ec2:AuthorizeSecurityGroupEgress",
			"ec2:AuthorizeSecurityGroupIngress",
			"ec2:RevokeSecurityGroupEgress",
			"ec2:RevokeSecurityGroupIngress",
			"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
			"ec2:UpdateSecurityGroupRuleDescriptionsIngress"

		],
		"Resource": "*"
	}]
}