Managed security groups

更新时间:
复制 MD 格式

Managed security groups are created by cloud service systems to ensure service availability. In scenarios where cloud resources are shared among multiple users and teams, managed security groups can prevent failures or security risks caused by user misoperation. This enhances the overall stability and security of cloud services. This topic describes managed security groups and the permissions on related API operations.

Background information

A security group created in managed mode is a managed security group. This mode is designed to resolve premission control issues for operations on security groups in cloud services, such as Network Load Balancer (NLB) and Secure Access Service Edge (SASE). Managed security groups are managed by cloud service systems. You can view managed security groups but cannot perform operations on them. The following section describes managed security groups.

Note

Alibaba Cloud services use Security Token Service (STS) to grant permissions to Resource Access Management (RAM) roles of your account to create managed security groups. For information about STS, see What is Security Token Service (STS)?

  • In a cloud service console, you cannot perform operations on managed security groups but can view information about these security groups.

  • Via OpenAPI: You can only call query APIs. If you attempt to modify a managed security group via an API call, the request fails and returns the error code InvalidOperation.ResourceManagedByCloudProduct. This error indicates that the security group is managed by a cloud service and cannot be modified. For more information about permissions, see OpenAPI permissions for managed security groups.

You can identify a security group as managed if a call to the DescribeSecurityGroups operation returns True for the ServiceManaged parameter, or if the console displays a message like Security groups managed by cloud products do not support modification operations..

Permissions on API operations related to managed security groups

In the following table, × indicates that an operation is not supported and √ indicates that an operation is supported.

API operation

Description

Can be called by an Alibaba Cloud account

Can be called by the cloud service system that creates a managed security group

AuthorizeSecurityGroup

  • Adds an inbound rule to a security group.

  • Adds an inbound rule that references a managed security group as the authorization object.

×

AuthorizeSecurityGroupEgress

  • Adds an outbound rule to a security group.

  • Adds an outbound rule that references a managed security group as the autorization object.

×

RevokeSecurityGroup

Deletes an inbound rule from a security group.

×

RevokeSecurityGroupEgress

Deletes an outbound rule from a security group.

×

JoinSecurityGroup

Adds a resource to a security group.

×

LeaveSecurityGroup

Removes a resource from a security group.

×

DeleteSecurityGroup

Deletes a security group.

×

ModifySecurityGroupAttribute

Modifies a security group.

×

ModifySecurityGroupRule

Modifies an inbound rule of a security group.

×

ModifySecurityGroupEgressRule

Modifies an outbound rule of a security group.

×

ModifySecurityGroupPolicy

Modifies the internal access control policy of a basic security group.

×

DescribeSecurityGroupAttribute

Queries security group rules.

DescribeSecurityGroups

Queries security groups.

DescribeSecurityGroupReferences

Queries the security groups whose rules reference security groups as authorization objects.

CreateNetworkInterface

Creates an elastic network interface (ENI).

×

ModifyNetworkInterfaceAttribute

Modifies an ENI.

×

RunInstances

Creates multiple instances at a time.

×

CreateInstance

Creates an instance.

×

ModifyInstanceAttribute

Modifies the security groups to which an instance belongs.

×