Use IAM to Allow User to Edit AWS / EC2 Security Groups?

I am trying to grant an IAM group the ability to edit our EC2 Security Groups, but I have been unable to get this working without granting access to everything in EC2.

I have tried several versions of this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392336685000",
      "Effect": "Allow",
      "Action": [
        "ec2:*"
      ],
      "Resource": [
        "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:security-group/*"
      ]
    }
  ]
}

But when I login with the IAM user, I get a message in the Security Group page saying "You are not authorized to perform this operation."

I do know that the user/group is working because if I select the IAM Policy Template for "Amazon EC2 Full Access", the user can access everything in EC2.

I obviously do not have a lot of experience with IAM, any help would be greatly appreciated.


Solution 1:

For this to work, you need to explicitly ALLOW the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392679134000",
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeSecurityGroups",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

The above JSON policy basically stipulates that the user ONLY has access to the above. They will NOT have access to anything else. That includes ec2 instances, S3, IAM, cloudfront, etc.

Solution 2:

If you want to limit editing to a single security group, I think that you need 2 statements, the following worked for me:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1413232782000",
            "Effect": "Allow",
            "Action": [               
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups"              
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1413232782001",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",                
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:<accountid>:security-group/sg-<id>"
            ]
        }
    ]
}

DescribeInstance may not be needed but in my case I wanted it, so haven't tested without it

Solution 3:

Looks like your security group is perhaps being used by an instance or some other EC2 resource. Can you try:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392336685000",
      "Effect": "Allow",
      "Action": [
        "ec2:*"
      ],
      "Resource": [
        "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:instance/*",
        "arn:aws:ec2:us-east-1:<MYACCOUNTHERE>:security-group/*"
      ]
    }
  ]
}