DocsICP FilingConsole
官方文档
首页

ModifySecurityGroupPolicy

更新时间:
复制 MD 格式
产品详情
我的收藏

Modifies the intra-group connectivity policy of a basic security group.

Operation description

  • Advanced security groups do not support modifications to the intra-group connectivity policy. The default policy is internal isolation.

  • You can call DescribeSecurityGroupAttribute to query the current intra-group connectivity policy of a security group.

  • When the intra-group connectivity policy of a security group is set to intra-group connectivity, other custom access rules are ignored, and all instances in custom security group are connected over the internal network by default.

  • When the intra-group connectivity policy of a security group is set to internal isolation, all instances in custom security group are disconnected over the internal network by default if no other access rules are added. However, you can customize security group rules to change the internal network status. For example, you can call AuthorizeSecurityGroup to enable network connectivity between two ECS instances in custom security group.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:ModifySecurityGroupPolicy

update

*SecurityGroup

acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}

 None None

Request parameters

Parameter

Type

Required

Description

Example
SecurityGroupId

string

Yes

The ID of the security group.

sg-bp67acfmxazb4ph****
RegionId

string

Yes

The region ID of the security group. You can call DescribeRegions to query the most recent region list.

cn-hangzhou
InnerAccessPolicy

string

Yes

The internal connectivity policy between ECS instances in the security group. Valid values:

  • Accept: intra-group connectivity

  • Drop: internal isolation

Note

The value is case-insensitive.

Drop
ClientToken

string

No

The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but make sure that the token is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

123e4567-e89b-12d3-a456-426655440000

Response elements

Element

Type

Description

Example

object

RequestId

string

The request ID.

CEF72CEB-54B6-4AE8-B225-F876FF7BA984

Examples

Success response

JSON format

{
  "RequestId": "CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Error codes

HTTP status code

Error code

Error message

Description
400 MissingParamter.RegionId The RegionId should not be null.
400 InvalidSecurityGroupId.Malformed The SecurityGroupId is invalid. Only letters, numbers and underscores are supported. Maximum length is 100 characters. The specified SecurityGroupId parameter is invalid. The value can be up to 100 characters in length and can contain only letters, digits, and underscores (_).
400 InvalidPolicy.Malformed The Policy is invalid. Only 'Accept' and 'Drop' are supported. Ignore case.
403 InvalidOperation.ResourceManagedByCloudProduct %s You cannot modify security groups managed by cloud services.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The specified security group does not exist in this account. Check whether the security group ID is correct.
404 InvalidParameter.InnerAccessPolicy The InnerAccessPolicy attribute of enterprise level security group can't be modified.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.