AWS IAM policy to allow user to edit one specific Security Group only

Question

I'm trying to allow a user to modify inbound rules on one particular security group.

Here's what I tried. I thought it would be straight forward, but this doesn't work. What other permissions do I need to provide?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Resource": "arn:aws:ec2:*:1234567890:security-group/sg-0115448f9fcb00g3c"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ec2:DescribeSecurityGroups",
            "Resource": "*"
        }
    ]
}

The authorisation to view the security groups is not happening.

Permissions look ok to me, without thinking about it too deeply. Do you have any service control policies in place limiting this (this often tripped me up when I was new to SCPs)? Are you sure you're logged in as the correct user / groups / role who has the policy attached (easy mistake to make)? — Tim, Aug 20 '20 at 20:32

score 0 · Answer 1 · answered Aug 21 '20 at 12:32

0

It turns out the user was not looking at the correct region in the AWS console, so couldn't see the security groups associated with the region they had permission to edit.

The IAM policy itself is correct, if anyone needs to achieve the same thing.

answered Aug 21 '20 at 12:32

BadHorsie

127
2
8

AWS IAM policy to allow user to edit one specific Security Group only

1 Answers1