Use IAM to Allow User to Edit AWS / EC2 Security Groups?

amazon-ec2 amazon-web-services amazon-iam

25,384

Solution 1

For this to work, you need to explicitly ALLOW the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392679134000",
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeSecurityGroups",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

The above JSON policy basically stipulates that the user ONLY has access to the above. They will NOT have access to anything else. That includes ec2 instances, S3, IAM, cloudfront, etc.

Solution 2

If you want to limit editing to a single security group, I think that you need 2 statements, the following worked for me:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1413232782000",
            "Effect": "Allow",
            "Action": [               
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups"              
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1413232782001",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",                
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:<accountid>:security-group/sg-<id>"
            ]
        }
    ]
}

DescribeInstance may not be needed but in my case I wanted it, so haven't tested without it

Solution 3

I was looking for an answer for a question that @nsij22 asked in the accepted answer's comments. Unfortunately, looks like that is not possible. According to IAM Policy Simulator, only the following actions from @DevMan14's answer can be used with specific resources:

DeleteSecurityGroup
AuthorizeSecurityGroupEgress
AuthorizeSecurityGroupIngress
RevokeSecurityGroupEgress
RevokeSecurityGroupIngress

For everything else, IAM Policy Simulator says:

This action does not support resource-level permissions. Policies granting access must specify "*" in the resource element.

It looks like this:

All "allowed" and "denied" are same, so I collapsed them.

Solution 4

Looks like your security group is perhaps being used by an instance or some other EC2 resource. Can you try:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392336685000",
      "Effect": "Allow",
      "Action": [
        "ec2:*"
      ],
      "Resource": [
        "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:instance/*",
        "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:security-group/*"
      ]
    }
  ]
}

View more solutions

25,384

Chris

Updated on September 18, 2022

Comments

Chris over 1 year
I am trying to grant an IAM group the ability to edit our EC2 Security Groups, but I have been unable to get this working without granting access to everything in EC2.

I have tried several versions of this:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392336685000",
      "Effect": "Allow",
      "Action": [
        "ec2:*"
      ],
      "Resource": [
        "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:security-group/*"
      ]
    }
  ]
}
```
But when I login with the IAM user, I get a message in the Security Group page saying "You are not authorized to perform this operation."

I do know that the user/group is working because if I select the IAM Policy Template for "Amazon EC2 Full Access", the user can access everything in EC2.

I obviously do not have a lot of experience with IAM, any help would be greatly appreciated.
Chris about 10 years

Thank you for the answer but that did not work. Yes, the security groups are being used by multiple instances - does it matter that they are "EC2 Security Groups" and not "VPC Security Groups" ? - OR maybe I am doing something else wrong because this doesn't allow the user to see the Instances either, which I half expected it to do.
Chris about 10 years

This Worked. Thank You. The user can see all the Instance data but can't start/stop/create, so that is close enough. Do you think there is a way to state exactly which Security Groups they can access, or do I need to leave it open to all Security Groups?
nsij22 almost 9 years

@DevMan14 so is there a way to state specific security groups? when i try an sec the resource like below it does not work and with this code, someone is able to use aws ec2 describe-security-groups and get a fair bit of information about every security group
storm_m2138 over 7 years

I was able to edit SG rules without the DescirbeInstance rules. E.g. the global * options only being set as: "ec2:DescribeNetworkAcls", "ec2:DescribeSecurityGroups"
storm_m2138 over 7 years

If you are seeing EC2ResponseError: 403 Forbidden errors, shortly after setting up/ modifying your policy, note that it took a few minutes before my policy went into effect