1

I'd like to allow some developers to manage firewall rules, specifically rules in ec2 security groups, (or some of them ideally) so that they can, eg, update their changing IP addresses to access development machines. I've found there isn't a way to do this using the visual interface to define an ec2 group - so I can only give them full ec2 admin, or read-only.

What is the best way to accomplish this, if there is a way? Can I create full ec2 admin access for just those machines in some way, or, ideally, can I create IAM permissions so they, as a user, can login to ec2 and only see and edit those security groups I select? I suspect this could be possible programatically (using JSON rules, maybe with the aws cli), or some other way that I am unfamilar with - regardless, appreciate your help.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
csdev
  • 111
  • 4

1 Answers1

1

AWS provides a sample policy which does that:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "arn:aws:ec2:*:*:security-group/*",
            "Condition": {
                "ArnEquals": {
                    "ec2:Vpc": "arn:aws:ec2:*:*:vpc/vpc-vpc-id"
                }
            }
        },
        {
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeStaleSecurityGroups",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

You need to at least adjust the VPC ID, create an IAM role with the policy above and grant your developer users permissions to switch to that role.

Henrik Pingel
  • 9,380
  • 2
  • 28
  • 39