Managed security groups are security groups that are created in managed mode. These security groups are used to ensure the availability of cloud services and prevent unexpected operations on resources. When you use cloud services that require security groups, security groups are created in managed mode for the cloud services. This topic describes managed security groups and their related permissions.
Background information
A security group in managed mode is a managed security group. The managed mode is
used to control the operation permissions on security groups for some cloud services
such as Cloud Firewall and NAT Gateway. Managed security groups are managed by cloud
service systems. You can view managed security groups but cannot perform operations
on these security groups. The following descriptions are applicable to managed security
groups.
Note Alibaba Cloud services use Security Token Service (STS) to grant permissions to RAM
roles of your account to create managed security groups. For more information, see
What is STS?.
- In a cloud service console, you cannot perform operations on managed security groups but can view their information.
- When you use OpenAPI to access managed security groups, you can call only query operations.
If you call an operation that is used to manage security groups for a managed security
group, an error message that contains the
InvalidOperation.ResourceManagedByCloudProducterror code is returned. The error message indicates that the security group is managed by a cloud service system and you cannot perform operations on this security group. For more information, see Permissions on API operations related to managed security groups.
You can call the DescribeSecurityGroups operation and view the ServiceManaged and ServiceID parameters in the response to check whether a security group is a managed security
group.
Permissions on API operations related to managed security groups
| API | API operation | Can be performed by your Alibaba Cloud account | Can be performed by the cloud service system for which the managed security group is created |
|---|---|---|---|
| AuthorizeSecurityGroup |
|
No | Yes |
| AuthorizeSecurityGroupEgress |
|
No | Yes |
| RevokeSecurityGroup | Deletes an inbound rule from a security group. | No | Yes |
| RevokeSecurityGroupEgress | Deletes an outbound rule from a security group. | No | Yes |
| JoinSecurityGroup | Adds a resource to a security group. | No | Yes |
| LeaveSecurityGroup | Removes a resource from a security group. | No | Yes |
| DeleteSecurityGroup | Deletes a security group. | No | Yes |
| ModifySecurityGroupAttribute | Modifies a security group. | No | Yes |
| ModifySecurityGroupRule | Modifies the description of an inbound security group rule. | No | Yes |
| ModifySecurityGroupEgressRule | Modifies the description of an outbound security group rule. | No | Yes |
| ModifySecurityGroupPolicy | Modifies a security group policy. | No | Yes |
| DescribeSecurityGroupAttribute | Queries security group rules. | Yes | Yes |
| DescribeSecurityGroups | Queries security groups. | Yes | Yes |
| DescribeSecurityGroupReferences | Queries whether a security group is referenced by other security groups. | Yes | Yes |
| CreateNetworkInterface | Creates an elastic network interface (ENI). | No | Yes |
| ModifyNetworkInterfaceAttribute | Modifies an ENI. | No | Yes |
| RunInstances | Creates one or more instances. | No | Yes |
| CreateInstance | Creates an instance. | No | Yes |
| ModifyInstanceAttribute | Modifies the security group to which an instance belongs. | No | Yes |