AWS Security Group Policy not working when I specify an ARN

Question

I am trying to setup a policy for a User group in IAM so that they can insert/delete/update policies in a Security Group.

I currently have it working if I leave the resource as the default any statements:

"arn:aws:ec2:*:*:security-group-rule/*",
"arn:aws:ec2:*:*:security-group/*"

When I go to try and change any of the asterisks the rule will then fail. I have tried adding in the us-east-2, my AWS Account ID and the actual sg-########## of the security group. All fail.

Any ideas why?

My current JSON policy below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:ModifySecurityGroupRules",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:security-group-rule/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        }
    ]
}

It will tell the user they need "ModifySecurityGroupRules" access even though it is listed. — user68288, May 20 '22 at 20:12

AWS Security Group Policy not working when I specify an ARN

0 Answers0