EC2: Manage Security Groups with help of JSON policy

EC2: Manage Security Groups with help of JSON policy

July 17, 2020 / Eternal Team

This blog is very useful for software developers and server administrators to save their time and improve work productivity for the company.

If you’re a developer/ server admin you might be facing some issue during this pandemic situation.

Well let’s talk about the actual issue:

While we went to the office most of the companies have set a static IP address for every single person. But nowadays as we know most of the companies have given permission to work from home to their employees. So in this scenario, the broadband IP addresses are always dynamic so every time developer has to text the administrator to add their IP address in the AWS security group.

This is comparatively an easy task for a server administrator to do. But what if something happens and the administrator is not able to add the IP address on the security group.

So waiting for administrator……….? No way.

Now here comes the solution, by our AWS expert team for the developer so that anyone can add his/her IP address on the AWS security group.

Step 1

Create an IAM user

EC2: Manage Security Groups with help of JSON policy

Step 2

Create a custom JSON policy as given below

EC2: Manage Security Groups with help of JSON policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "arn:aws:ec2:*:*:security-group/*",
            "Condition": {
                "ArnEquals": {
                    "ec2:Vpc": "arn:aws:ec2:*:*:vpc/vpc-vpc-id"
                }
            }
        },
        {
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeStaleSecurityGroups",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

In place of text “vpc-vpc-id” you have to add your VPC id.

You can also specify like, which security group will be accessible.

Suppose here we can add only our IP on “sg-0735b94567cdbde36” security group.

Example of our demo script:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
           "Resource":"arn:aws:ec2:*:018180720289:security-group/sg-0735b94567cdbde36",
            "Condition": {
                "ArnEquals": {
                    "ec2:Vpc": "arn:aws:ec2:*:*:vpc/vpc-5940bd33"
                }
            }
        },
        {
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeStaleSecurityGroups",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Now, Let’s describe the custom policy.

This custom policy is only accessible for particular security groups in which only you can add an IP address on security groups and if someone tries to delete the existing security group it will show up the error message.

Like this,

EC2: Manage Security Groups with help of JSON policy

So it’s completely secure.

This policy is very useful and it can improve the productivity of the company and save the time of the developer as well as the administrator.

AWS-Consulting-Partner

Talk to AWS Certified Consultant

Want to start a project?

It’s simple.

Contact us