当我指定ARN时，AWS安全组策略不起作用

发布于 2025-01-30 18:01:45 字数 1542 浏览 4 评论 0原文

我正在尝试为IAM中的用户组设置策略，以便他们可以在安全组中插入/删除/更新策略。

目前，如果我将资源作为默认语句保留，我目前可以工作：

"arn:aws:ec2:*:*:security-group-rule/*",
"arn:aws:ec2:*:*:security-group/*"

当我尝试更改任何星号时，规则将失败。我尝试添加安全组的us-east-2，我的AWS帐户ID和实际的SG - ##########。所有人都失败了。

有什么想法吗？

我目前的JSON政策下面：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:ModifySecurityGroupRules",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:security-group-rule/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        }
    ]
}

原文

I am trying to setup a policy for a User group in IAM so that they can insert/delete/update policies in a Security Group.

I currently have it working if I leave the resource as the default any statements:

"arn:aws:ec2:*:*:security-group-rule/*",
"arn:aws:ec2:*:*:security-group/*"

When I go to try and change any of the asterisks the rule will then fail. I have tried adding in the us-east-2, my AWS Account ID and the actual sg-########## of the security group. All fail.

Any ideas why?

My current JSON policy below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:ModifySecurityGroupRules",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:security-group-rule/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        }
    ]
}

分享到QQ

分享到微博