17

I am trying to grant an IAM group the ability to edit our EC2 Security Groups, but I have been unable to get this working without granting access to everything in EC2.

I have tried several versions of this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392336685000",
      "Effect": "Allow",
      "Action": [
        "ec2:*"
      ],
      "Resource": [
        "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:security-group/*"
      ]
    }
  ]
}

But when I login with the IAM user, I get a message in the Security Group page saying "You are not authorized to perform this operation."

I do know that the user/group is working because if I select the IAM Policy Template for "Amazon EC2 Full Access", the user can access everything in EC2.

I obviously do not have a lot of experience with IAM, any help would be greatly appreciated.

Chris
  • 333
  • 1
  • 4
  • 10

5 Answers5

16

For this to work, you need to explicitly ALLOW the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392679134000",
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeSecurityGroups",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

The above JSON policy basically stipulates that the user ONLY has access to the above. They will NOT have access to anything else. That includes ec2 instances, S3, IAM, cloudfront, etc.

Scott Moore
  • 551
  • 1
  • 4
  • 11
  • 1
    This Worked. Thank You. The user can see all the Instance data but can't start/stop/create, so that is close enough. Do you think there is a way to state exactly which Security Groups they can access, or do I need to leave it open to all Security Groups? – Chris Feb 18 '14 at 15:53
  • @DevMan14 so is there a way to state specific security groups? when i try an sec the resource like below it does not work and with this code, someone is able to use aws ec2 describe-security-groups and get a fair bit of information about every security group – nsij22 May 06 '15 at 01:32
  • 1
    If you are seeing **EC2ResponseError: 403 Forbidden** errors, shortly after setting up/ modifying your policy, note that it took a **few minutes** before my policy went into effect – storm_m2138 Dec 21 '16 at 19:30
14

If you want to limit editing to a single security group, I think that you need 2 statements, the following worked for me:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1413232782000",
            "Effect": "Allow",
            "Action": [               
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups"              
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1413232782001",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",                
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:<accountid>:security-group/sg-<id>"
            ]
        }
    ]
}

DescribeInstance may not be needed but in my case I wanted it, so haven't tested without it

kasperd
  • 29,894
  • 16
  • 72
  • 122
Guillaume Gros
  • 241
  • 2
  • 3
  • 1
    I was able to edit SG rules **without** the DescirbeInstance rules. E.g. the global * options **only** being set as: `"ec2:DescribeNetworkAcls", "ec2:DescribeSecurityGroups"` – storm_m2138 Dec 21 '16 at 19:23
1

Looks like your security group is perhaps being used by an instance or some other EC2 resource. Can you try:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392336685000",
      "Effect": "Allow",
      "Action": [
        "ec2:*"
      ],
      "Resource": [
        "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:instance/*",
        "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:security-group/*"
      ]
    }
  ]
}
Rico
  • 2,185
  • 18
  • 19
  • Thank you for the answer but that did not work. Yes, the security groups are being used by multiple instances - does it matter that they are "EC2 Security Groups" and not "VPC Security Groups" ? - OR maybe I am doing something else wrong because this doesn't allow the user to see the Instances either, which I half expected it to do. – Chris Feb 14 '14 at 14:06
1

I was looking for an answer for a question that @nsij22 asked in the accepted answer's comments. Unfortunately, looks like that is not possible. According to IAM Policy Simulator, only the following actions from @DevMan14's answer can be used with specific resources:

  • DeleteSecurityGroup
  • AuthorizeSecurityGroupEgress
  • AuthorizeSecurityGroupIngress
  • RevokeSecurityGroupEgress
  • RevokeSecurityGroupIngress

For everything else, IAM Policy Simulator says:

This action does not support resource-level permissions. Policies granting access must specify "*" in the resource element.

It looks like this:

screenshot.

All "allowed" and "denied" are same, so I collapsed them.

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
selurvedu
  • 111
  • 6
0

The answer given by Scott Moore and selected as the correct answer at the time of writing does not solve the issue anymore. Not Scott's fault, AWS is frequently changing many things.

We had followed an AWS document and created a custom policy which had been working just fine since the last 1.5 years or so and suddenly today morning our clients started facing issues in editing the Security Groups and so I stumbled upon this thread in order to try possible solutions.

I eventually ended up creating a custom policy from scratch as it seems something critical has been just deprecated from AWS IAM policy side today morning; so the policy that works at the time of writing for me is :-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSecurityGroupRules",
                "ec2:ModifySecurityGroupRules"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
            ],
            "Resource": "arn:aws:ec2:*:*:security-group/*"
        }
    ]
}

This :-

  • Allows to edit/delete existing rules inside the existing Security Groups.
  • Allows to create new rules inside the existing Security Groups.
  • Does not allow to create a new security-group or delete an existing security-group.

The question never focused on allowing to create new security groups or delete existing security groups and so that has not been added in the policy but can be added by the reader if their requirement demands for it.

Srini K
  • 21
  • 2