Problem
當我嘗試使用 Lambda function,增加一條 rule 至指定 security group 時,出現以下錯誤:
Test Event Name MyTest Response null Function Logs START RequestId: 7f5624bf-430f-4c65-a51f-9060e990b159 Version: $LATEST An error occurred (UnauthorizedOperation) when calling the AuthorizeSecurityGroupIngress operation: You are not authorized to perform this operation. User: arn:aws:sts::102832830373:assumed-role/AddSGFunction-role-shx93f9g/AddSGFunction is not authorized to perform: ec2:AuthorizeSecurityGroupIngress on resource: arn:aws:ec2:us-east-1:102832830373:security-group/sg-056a6d3af28d29d47 because no identity-based policy allows the ec2:AuthorizeSecurityGroupIngress action. Encoded authorization failure message: u7vWnAW1hpW1M7YZt5LVRybW3WXafRneSDK4jpCisbXWFiI5yS7DAZQBJNuXqUMKsRSSn-pTBiotcINMCxvnICsMzd9e7D61fZgGGwrrnrsSPcwnC6V-SH7pDmEtw_rD8cIHhN1CQIByIzn3waZ0bwQqB7ggufrlDZlf4pVWU860dhL89jes5EP8XAW-cuXnoz156F-11Us2ZToRlSHIFGbsTQhxCjaLTIkKFyLnd45mkgF_24a8VKjqUXz1jcEAfZEM3FgQeCoG7BBKqk9Z_3S-ODAPoBQ4NuGYFfYKTqIGOVx_QEV3HlqC9QEXJ1ylRWoZ2aU94KESR54ak4yk9U6bwZGMz_Y8Lxw2UcQBfI43sdvGQW8Ga6G8yGMLO9qjaFqgRkVBrUZIjpprl0vEo5pN96m8mzdmqdELDR0KUV69VZkLzfevef44zP2Bwo5JaQKhFyzb00eiaZj3AuLSbf7Hyzawp5DKnDa7xasZkHU60sVbDDPnAyWQ98D9felWps-tafPaWVO49rg50UQKAz2lSwDKFLT-BIluOph8ruuJO_0YZyiQJmn3TYMEq3x2uR7IUsYTdugmYAJzmzNHzdIy5YxBPGx7SEvoEX9C_xZIloJLSWkO END RequestId: 7f5624bf-430f-4c65-a51f-9060e990b159 REPORT RequestId: 7f5624bf-430f-4c65-a51f-9060e990b159 Duration: 3407.09 ms Billed Duration: 3408 ms Memory Size: 128 MB Max Memory Used: 89 MB Init Duration: 408.87 ms Request ID 7f5624bf-430f-4c65-a51f-9060e990b159
Root Cause
此 Lambda function 不具備增添 security group rule 的權限
How-To
增添以下權限 ec2:AuthorizeSecurityGroupIngress
Test Result
執行結果
Test Event Name MyTest Response null Function Logs START RequestId: 266304a2-53ce-40f0-8918-7782fb6bb3cc Version: $LATEST Ingress Successfully Set {'Return': True, 'SecurityGroupRules': [{'SecurityGroupRuleId': 'sgr-063e134cb604a00a2', 'GroupId': 'sg-056a6d3af28d29d47', 'GroupOwnerId': '102832830373', 'IsEgress': False, 'IpProtocol': 'tcp', 'FromPort': 80, 'ToPort': 80, 'CidrIpv4': '0.0.0.0/0'}], 'ResponseMetadata': {'RequestId': '58ea616d-28bb-4d65-b544-d61ff7834a33', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '58ea616d-28bb-4d65-b544-d61ff7834a33', 'cache-control': 'no-cache, no-store', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'content-type': 'text/xml;charset=UTF-8', 'content-length': '719', 'date': 'Sun, 10 Mar 2024 02:11:17 GMT', 'server': 'AmazonEC2'}, 'RetryAttempts': 0}} END RequestId: 266304a2-53ce-40f0-8918-7782fb6bb3cc REPORT RequestId: 266304a2-53ce-40f0-8918-7782fb6bb3cc Duration: 3649.45 ms Billed Duration: 3650 ms Memory Size: 128 MB Max Memory Used: 89 MB Init Duration: 324.16 ms Request ID 266304a2-53ce-40f0-8918-7782fb6bb3cc
確認 security group rule
延伸問題
若 Lambda function 要 revoke security group rule,需賦予以下權限,範例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RevokeSecurityGroupIngress",
"Resource": "arn:aws:ec2:region:account-id:security-group/sg-xxxxxxxx"
}
]
}
實際例子:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RevokeSecurityGroupIngress",
"Resource": "arn:aws:ec2:us-east-1:102832830373:security-group/sg-056a6d3af28d29d47"
}
]
}
