使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

How to create a policy that shows only an especific security group

0

Hello, i want to create a IAM policy that the user cans only modify outbound/inbound rules of an specific security group, I followed the steps of the documentation, but this policy permit modify all the security groups.

I used the documentation: https://docs.aws.amazon.com/es_es/IAM/latest/UserGuide/reference_policies_examples_ec2_securitygroups-vpc.html

policy:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeTags" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:ModifySecurityGroupRules", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group/" ], "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Test" } } },
{ "Effect": "Allow", "Action": [ "ec2:ModifySecurityGroupRules" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group-rule/*" ] } ] }

主题
安全、身份和合规性网络和内容交付
标签
IAM 策略安全组
语言
English
rePost-User-6114547
已提问 1 年前246 查看次数
1 回答
-1

The second Allow is not required IMO

{ "Effect": "Allow", "Action": [ "ec2:ModifySecurityGroupRules" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group-rule/*" ] } ] }

Just use .. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeTags" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:ModifySecurityGroupRules", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group/" ], "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Test" } } },

AWS
Nirmal Rajan
已回答 1 年前
  • rePost-User-6114547
    1 年前

    I aplied your sugestion but the problem is still persist { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:ModifySecurityGroupRules", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:us-east-1:112345678433:security-group/" ], "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Test" } } } ] }

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容