Blog

MyIP Access

AWS IAM Policy: Manage EC2 Security Group Inbound Rules Safely

Published on October 24, 2025

In AWS, Security Groups act as virtual firewalls that control inbound and outbound traffic for EC2 instances.

When managing cloud infrastructure, there are many use cases where a developer or automation system needs to temporarily update inbound rules — for example, opening SSH / RDP access from a specific IP, or allowing an application to connect.

However, giving full EC2 or admin permissions for this small task is risky.

The safer approach is to grant only the exact actions required — and that’s where this IAM policy comes in.

IAM Policy

Here’s the minimal and focused IAM policy that enables managing inbound rules for EC2 Security Groups:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        }
    ]
}

What This Policy Does

This policy allows a user or service to view existing Security Groups and update their inbound rules, nothing more.

  • ec2:DescribeSecurityGroups = Allows viewing existing Security Groups and their current inbound/outbound rules.
  • ec2:AuthorizeSecurityGroupIngress = Allows adding (authorizing) new inbound rules such as opening a port for SSH or HTTPS.
  • ec2:RevokeSecurityGroupIngress = Allows removing (revoking) existing inbound rules.

That’s it — no permissions to create or delete Security Groups, launch instances, or modify networking resources.

It’s a least-privilege approach tailored for security rule management.

Dynamic IP Whitelisting

If you work from changing public IPs, you can use an automation app MyIP Access to update the inbound rule of your Security Group to your current IP.

Example:

  • Open port 22 (SSH) for your current IP.
  • Remove previous IPs automatically.
  • If you are testing your application through custom ports, etc..

Controlled Developer Access

Developers or testers can be allowed to manage ingress rules without having full EC2 privileges.
This helps maintain better governance while keeping operations flexible.

Benefits

  • Principle of Least Privilege: Only required actions are allowed.
  • Safe for Automation: Ideal for Developers/DevOps/Cloud Platform Engineers and Startups to manage ingress rules.
  • Simple & Focused: No exposure to other EC2 operations.
  • Easy to Audit: All changes appear clearly in app MyIP Access logs

Conclusion

This minimal IAM policy is a perfect example of security through simplicity.
It empowers to manage inbound rules efficiently, without compromising overall EC2 security.

iam aws
← Back to Blog