使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

How to create a policy that shows only an especific security group

0

Hello, i want to create a IAM policy that the user cans only modify outbound/inbound rules of an specific security group, I followed the steps of the documentation, but this policy permit modify all the security groups.

I used the documentation: https://docs.aws.amazon.com/es_es/IAM/latest/UserGuide/reference_policies_examples_ec2_securitygroups-vpc.html

policy:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeTags" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:ModifySecurityGroupRules", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group/" ], "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Test" } } },
{ "Effect": "Allow", "Action": [ "ec2:ModifySecurityGroupRules" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group-rule/*" ] } ] }

主題
安全性、身分識別與合規網路與內容交付
標籤
IAM 政策安全性群組
語言
English
rePost-User-6114547
已提問 1 年前檢視次數 246 次
1 個回答
-1

The second Allow is not required IMO

{ "Effect": "Allow", "Action": [ "ec2:ModifySecurityGroupRules" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group-rule/*" ] } ] }

Just use .. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeTags" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:ModifySecurityGroupRules", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:region:111122223333:security-group/" ], "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Test" } } },

AWS
Nirmal Rajan
已回答 1 年前
  • rePost-User-6114547
    1 年前

    I aplied your sugestion but the problem is still persist { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:ModifySecurityGroupRules", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress" ], "Resource": [ "arn:aws:ec2:us-east-1:112345678433:security-group/" ], "Condition": { "StringEquals": { "aws:ResourceTag/Department": "Test" } } } ] }

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容