I've looked all over Google, and haven't found a solid solution yet that works. I have an environment set up in AWS where I do NOT want users to be able to make any changes to the EC2 security groups; these can ONLY be set via Terraform apply. I have the following policy that we tried applying to users, but it didn't prevent me from adding or removing a new ingress rule:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventUpdateOfCoreSecurityGroups",
"Effect": "Deny",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ModifySecurityGroupRules"
],
"Resource": [
"arn:aws:ec2:us-west-2:************:security-group/sg-1",
"arn:aws:ec2:us-west-2:************:security-group/sg-2",
"arn:aws:ec2:us-west-2:************:security-group/sg-3",
"arn:aws:ec2:us-west-2:************:security-group/sg-4",
"arn:aws:ec2:us-west-2:************:security-group/sg-5"
]
}
]
}
I'm sure I'm missing something obvious, but it's just not jumping out. I'd appreciate any thoughts!
To reproduce your situation, I did the following:
AdministrationAccess permissions -- basically, they can do anything{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventUpdateOfCoreSecurityGroups",
"Effect": "Deny",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ModifySecurityGroupRules"
],
"Resource": [
"arn:aws:ec2:ap-southeast-2:123456789012:security-group/sg-094f33b4da123b5ae"
]
}
]
}
The sg- ID at the end matches the Security Group.
I then tried to add another Inbound rule. I received this message:
There was an error modifying your security group inbound rules
You may be missing IAM policies that allow AuthorizeSecurityGroupIngress. You are not authorized to perform this operation.
So, at least part of the policy seems to be working!
Did you, perhaps, use the name of the Security Group in the ARN, rather than the Security Group ID?