[SOLVED] AWS Permissions to allow a specific user to Modify a specific Security Group

Issue

I've be trying to implement a new policy on AWS to allow a specific user to manage a specific Security Group. I used to have this working but it stopped working a couple weeks ago and now no matter what I try I cannot get it to work again.

Does anyone have a valid JSON config on how to create a policy to allow users to modify a SPECIFIC security role? This is mainly to allow certain users to change the firewall rules when they are on dynamic IPs.

EDIT: This is my current JSON config:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "s1",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeInstances",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribeSecurityGroups"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Sid": "s2",
        "Effect": "Allow",
        "Action": [
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress"
        ],
        "Resource": [
            "arn:aws:ec2:*:*:security-group/sg-<my id>"
        ]
    }
]

}

Solution

The policy you mentioned looks correct. But it will not allow you to modify the existing egress/ingress security rule. If you want to modify a security group rule, you can delete the existing security group rule and add a new security group rule.

To allow modifications on an existing security group rule add this permission as well ec2:ModifySecurityGroupRules.

Modified policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                "ec2:ModifySecurityGroupRules"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:security-group/<sg-id>",
                "arn:aws:ec2:*:*:security-group-rule/*"
            ]
        }
    ]
}

Note: This policy allows you to edit a security group and any security group rules under that security group. You can also limit access using security group rule as well by mentioning security group rule id (arn:aws:ec2:::security-group-rule/$sgr-id) for the corresponding security group id.

Answered By - deepanmurugan

Answer Checked By - David Goodson (WPSolving Volunteer)