IAM role needed to assign a security group to a running EC2 instance


What is the proper IAM role required to assign an existing security group to a running EC2 instance? My current permissions are:

2 Answers

Looks like you're missing ec2:ModifyNetworkInterfaceAttribute

Here's the API documentation where you can see that it says "You can use this action to attach and detach security groups from an existing EC2 instance."

Hope this helps!

answered 2 years ago
profile pictureAWS
reviewed 2 years ago

Thank you for reaching out on this. Yes, as echoed by Joe, you can use ec2:ModifyNetworkInterfaceAttribute to add existing Security groups to a Network Interface associated with an EC2 Instance However, this does not directly add Security groups to an EC2 Instance.

To add to an EC2 Instance directly, you would need to use ec2:ModifyInstanceAttribute. See API documentation

To allow users to change the security group that's associated with an instance, add the ec2:ModifyInstanceAttribute action to your policy.

To allow users to change security groups for a network interface, add the ec2:ModifyNetworkInterfaceAttribute action to your policy. Refer to documentation for more details [Amazon VPC policy examples](Manage security groups - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html#vpc-security-groups-iam)

Other important IAM permissions includes ec2:DescribeNetworkInterfaces, ec2:DescribeSecurityGroups, DescribeInstances

Sample IAM permissions (Please edit as per best practices considering least privilege)

	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Action": [

		"Resource": "*"
answered 2 years ago
profile pictureAWS
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions