I am writing an IAM Policy to deploy EC2 Instances along with creating Security Groups using Terraform, I don't want to give EC2 full access. Following principle of least privilege, what are the permissions required to create Security groups also adding inbound and outbound rules?
Asked
Active
Viewed 7,532 times
3 Answers
3
The list of IAM actions for EC2 should be a helpful reference.
The action for creating a security group is CreateSecurityGroup. Note: that action alone will not suffice if you need to create ingress and egress rules on the security group. For those, you will need to add AuthorizeSecurityGroupIngress and AuthorizeSecurityGroupEgress.
jarmod
- 71,565
- 16
- 115
- 122
-
Assume I add only CreateSecurityGroup to my policy, I will be able to create a security group with the ingress and egress rules in the terraform code itself right? – mellifluous May 06 '20 at 05:17
-
1Not quite, if you add tags then `ec2:CreateSecurityGroup` will depend on `ec2:CreateTags` which you need to allow, too. Otherwise the whole operation will fail. [Search here for "CreateSecurityGroup"] (https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-security-group). – mana Dec 23 '22 at 13:09
2
Let me give a try to answer to your question: "Permissions required to create Security groups also adding inbound and outbound rules".
The policy I used is the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Describe",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateSecurityGroup"
],
"Resource": "*"
},
{
"Sid": "Create",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Application": "testapp"
}
}
},
{
"Sid": "Delete",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "arn:aws:ec2:<region>:<accountID>:security-group/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Application": "testapp"
}
}
}
]
}Where all my resources are tagged with "Application:testapp". For terraform, I use a custom module where tag for resources is mandatory and "Application" tag is needed to apply.
As you can see:
- Some actions does not apply to resources (Describe actions).
- Some actions does not apply to resources (Create actions), but one can specify RequestTag condition.
- Some action applies to resources (Delete actions), and one can specify ResourceTag condition.
By this way it is not possible to create security-group without the specified RequestTag. And I can't delete any security-group except the one with the specified ResourceTag.
links to sources :
- https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_securitygroups-vpc.html
I hope this will be helpful, I spent some time to figure out how to set up properly this kind of policy. Let me know if you have a better way to do it in comment.
Doms Dev
- 31
- 2
1
And after a while, I decided to try to be more restrictive, and I realized that I certainly made a mistake in my answer.
For "Describe" block, visual editor says : Selected actions only support the all resources wildcard('*').
"ec2:CreateSecurityGroup" action can be associated to Resources (Resources are listed by the visual editor).
"ec2:CreateTags" action can be associated to Resources as well, but I used "Resource": "*" otherwise there would be too many arn resources to add. But maybe there is an appropriate solution to do this. Some actions may be required, some not.
Finally in the "Delete" block I added specific arn to be more restrictive.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Descibe",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "Create",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:<region>:<accountID>:vpc/<vpcID>",
"arn:aws:ec2:<region>:<accountID>:security-group/*"
]
},
{
"Sid": "Tag",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Application": "testapp"
}
}
},
{
"Sid": "Delete",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup"
],
"Resource": [
"arn:aws:ec2:<region>:<accountID>:security-group/*",
"arn:aws:ec2:<region>:<accountID>:security-group/testapp*",
"arn:aws:ec2:<region>:<accountID>:security-group-rule/testapp*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/Application": "testapp"
}
}
}
]
}I'm still searching ...
Doms Dev
- 31
- 2