Managed security groups are security groups that are created in managed mode. These security groups are used to ensure the availability of cloud services and prevent unexpected operations on resources. When you use cloud services that require security groups, security groups are created in managed mode for the cloud services. This topic describes managed security groups and their related permissions.
Background information
- In a cloud service console, you cannot perform operations on managed security groups but can view their information.
- When you use OpenAPI to access managed security groups, you can call only query operations.
If you call an operation that is used to manage security groups for a managed security
group, an error message that contains the
InvalidOperation.ResourceManagedByCloudProduct
error code is returned. The error message indicates that the security group is managed by a cloud service system and you cannot perform operations on this security group. For more information, see Permissions on API operations related to managed security groups.
You can call the DescribeSecurityGroups operation and view the ServiceManaged
and ServiceID
parameters in the response to check whether a security group is a managed security
group.
Permissions on API operations related to managed security groups
API | API operation | Can be performed by your Alibaba Cloud account | Can be performed by the cloud service system for which the managed security group is created |
---|---|---|---|
AuthorizeSecurityGroup |
|
No | Yes |
AuthorizeSecurityGroupEgress |
|
No | Yes |
RevokeSecurityGroup | Deletes an inbound rule from a security group. | No | Yes |
RevokeSecurityGroupEgress | Deletes an outbound rule from a security group. | No | Yes |
JoinSecurityGroup | Adds a resource to a security group. | No | Yes |
LeaveSecurityGroup | Removes a resource from a security group. | No | Yes |
DeleteSecurityGroup | Deletes a security group. | No | Yes |
ModifySecurityGroupAttribute | Modifies a security group. | No | Yes |
ModifySecurityGroupRule | Modifies the description of an inbound security group rule. | No | Yes |
ModifySecurityGroupEgressRule | Modifies the description of an outbound security group rule. | No | Yes |
ModifySecurityGroupPolicy | Modifies a security group policy. | No | Yes |
DescribeSecurityGroupAttribute | Queries security group rules. | Yes | Yes |
DescribeSecurityGroups | Queries security groups. | Yes | Yes |
DescribeSecurityGroupReferences | Queries whether a security group is referenced by other security groups. | Yes | Yes |
CreateNetworkInterface | Creates an elastic network interface (ENI). | No | Yes |
ModifyNetworkInterfaceAttribute | Modifies an ENI. | No | Yes |
RunInstances | Creates one or more instances. | No | Yes |
CreateInstance | Creates an instance. | No | Yes |
ModifyInstanceAttribute | Modifies the security group to which an instance belongs. | No | Yes |