Managed security groups are security groups that are created in managed mode. These security groups are used to ensure the availability of cloud services and prevent unexpected operations on resources. When you use cloud services that require security groups, security groups are created in managed mode for the cloud services. This topic describes managed security groups and their related permissions.

Background information

A security group in managed mode is a managed security group. The managed mode is used to control the operation permissions on security groups for some cloud services such as Cloud Firewall and NAT Gateway. Managed security groups are managed by cloud service systems. You can view managed security groups but cannot perform operations on these security groups. The following descriptions are applicable to managed security groups.
Note Alibaba Cloud services use Security Token Service (STS) to grant permissions to RAM roles of your account to create managed security groups. For more information, see What is STS?.
  • In a cloud service console, you cannot perform operations on managed security groups but can view their information.
  • When you use OpenAPI to access managed security groups, you can call only query operations. If you call an operation that is used to manage security groups for a managed security group, an error message that contains the InvalidOperation.ResourceManagedByCloudProduct error code is returned. The error message indicates that the security group is managed by a cloud service system and you cannot perform operations on this security group. For more information, see Permissions on API operations related to managed security groups.

You can call the DescribeSecurityGroups operation and view the ServiceManaged and ServiceID parameters in the response to check whether a security group is a managed security group.

Permissions on API operations related to managed security groups

API API operation Can be performed by your Alibaba Cloud account Can be performed by the cloud service system for which the managed security group is created
AuthorizeSecurityGroup
  • Adds an inbound rule to a security group.
  • Controls inbound access to a managed security group.
No Yes
AuthorizeSecurityGroupEgress
  • Adds an outbound rule to a security group.
  • Controls outbound access from a managed security group.
No Yes
RevokeSecurityGroup Deletes an inbound rule from a security group. No Yes
RevokeSecurityGroupEgress Deletes an outbound rule from a security group. No Yes
JoinSecurityGroup Adds a resource to a security group. No Yes
LeaveSecurityGroup Removes a resource from a security group. No Yes
DeleteSecurityGroup Deletes a security group. No Yes
ModifySecurityGroupAttribute Modifies a security group. No Yes
ModifySecurityGroupRule Modifies the description of an inbound security group rule. No Yes
ModifySecurityGroupEgressRule Modifies the description of an outbound security group rule. No Yes
ModifySecurityGroupPolicy Modifies a security group policy. No Yes
DescribeSecurityGroupAttribute Queries security group rules. Yes Yes
DescribeSecurityGroups Queries security groups. Yes Yes
DescribeSecurityGroupReferences Queries whether a security group is referenced by other security groups. Yes Yes
CreateNetworkInterface Creates an elastic network interface (ENI). No Yes
ModifyNetworkInterfaceAttribute Modifies an ENI. No Yes
RunInstances Creates one or more instances. No Yes
CreateInstance Creates an instance. No Yes
ModifyInstanceAttribute Modifies the security group to which an instance belongs. No Yes