Managed security groups are created in managed mode. When you use cloud services that require security groups, managed security groups are created to ensure the availability of cloud services. In a scenario where cloud resources are shared among multiple users and teams, managed security groups can prevent failures or security risks caused by user misoperation. This helps enhance the overall stability and security of cloud services. This topic describes managed security groups and related permissions on API operations to help you learn about and manage managed security groups.
Background information
A security group that is created in managed mode is a managed security group. The managed mode is used to control the operation permissions on security groups for specific cloud services such as Cloud Firewall and NAT Gateway. Managed security groups are managed by cloud service systems. You can view managed security groups but cannot perform operations on these security groups. The following section provides more details of managed security groups:
Alibaba Cloud services use Security Token Service (STS) to grant permissions to Resource Access Management (RAM) roles of your account to create managed security groups. For information about STS, see What is STS?
In a cloud service console, you cannot perform operations on managed security groups but can view information about these security groups.
When you use OpenAPI to access managed security groups, you can call only query operations. If you call an operation that is used to manage security groups for a managed security group, an error message that contains the
InvalidOperation.ResourceManagedByCloudProducterror code is returned. The error message indicates that the security group is managed by a cloud service system and you cannot perform operations on this security group. For more information, see the Permissions on API operations related to managed security groups section in this topic.
You can call the DescribeSecurityGroups operation and view the ServiceManaged and ServiceID parameters in the response to check whether a security group is a managed security group.
Permissions on API operations related to managed security groups
API | API operation | Can be performed by your Alibaba Cloud account | Can be performed by the cloud service system for which the managed security group is created |
| No | Yes | |
| No | Yes | |
Deletes an inbound rule from a security group. | No | Yes | |
Deletes an outbound rule from a security group. | No | Yes | |
Adds a resource to a security group. | No | Yes | |
Removes a resource from a security group. | No | Yes | |
Deletes a security group. | No | Yes | |
Modifies a security group. | No | Yes | |
Modifies the description of an inbound security group rule. | No | Yes | |
Modifies the description of an outbound security group rule. | No | Yes | |
Modifies a security group policy. | No | Yes | |
Queries security group rules. | Yes | Yes | |
Queries security groups. | Yes | Yes | |
Queries whether a security group is referenced by other security groups. | Yes | Yes | |
Creates an elastic network interface (ENI). | No | Yes | |
Modifies an ENI. | No | Yes | |
Creates one or more instances. | No | Yes | |
Creates an instance. | No | Yes | |
Modifies the security group to which an instance belongs. | No | Yes |
References
Cloud Firewall of Alibaba Cloud provides software as a service (SaaS) firewalls in the public cloud to allow you to manage north-south traffic and east-west traffic in a centralized manner. You can use features such as traffic monitoring, fine-grained access control, and real-time intrusion prevention to comprehensively protect your network boundaries. For more information, see What is Cloud Firewall?
NAT Gateway is a NAT service that provides the DNAT and SNAT features. For more information, see What is NAT Gateway?