All Products
Search
Document Center

:Managed security group

Last Updated:May 14, 2024

Managed security groups are created in managed mode. When you use cloud services that require security groups, managed security groups are created to ensure the availability of cloud services. In a scenario where cloud resources are shared among multiple users and teams, managed security groups can prevent failures or security risks caused by user misoperation. This helps enhance the overall stability and security of cloud services. This topic describes managed security groups and related permissions on API operations to help you learn about and manage managed security groups.

Background information

A security group that is created in managed mode is a managed security group. The managed mode is used to control the operation permissions on security groups for specific cloud services such as Cloud Firewall and NAT Gateway. Managed security groups are managed by cloud service systems. You can view managed security groups but cannot perform operations on these security groups. The following section provides more details of managed security groups:

Note

Alibaba Cloud services use Security Token Service (STS) to grant permissions to Resource Access Management (RAM) roles of your account to create managed security groups. For information about STS, see What is STS?

  • In a cloud service console, you cannot perform operations on managed security groups but can view information about these security groups.

  • When you use OpenAPI to access managed security groups, you can call only query operations. If you call an operation that is used to manage security groups for a managed security group, an error message that contains the InvalidOperation.ResourceManagedByCloudProduct error code is returned. The error message indicates that the security group is managed by a cloud service system and you cannot perform operations on this security group. For more information, see the Permissions on API operations related to managed security groups section in this topic.

You can call the DescribeSecurityGroups operation and view the ServiceManaged and ServiceID parameters in the response to check whether a security group is a managed security group.

Permissions on API operations related to managed security groups

API

API operation

Can be performed by your Alibaba Cloud account

Can be performed by the cloud service system for which the managed security group is created

AuthorizeSecurityGroup

  • Adds an inbound rule to a security group.

  • Controls inbound access to a managed security group.

No

Yes

AuthorizeSecurityGroupEgress

  • Adds an outbound rule to a security group.

  • Controls outbound access from a managed security group.

No

Yes

RevokeSecurityGroup

Deletes an inbound rule from a security group.

No

Yes

RevokeSecurityGroupEgress

Deletes an outbound rule from a security group.

No

Yes

JoinSecurityGroup

Adds a resource to a security group.

No

Yes

LeaveSecurityGroup

Removes a resource from a security group.

No

Yes

DeleteSecurityGroup

Deletes a security group.

No

Yes

ModifySecurityGroupAttribute

Modifies a security group.

No

Yes

ModifySecurityGroupRule

Modifies the description of an inbound security group rule.

No

Yes

ModifySecurityGroupEgressRule

Modifies the description of an outbound security group rule.

No

Yes

ModifySecurityGroupPolicy

Modifies a security group policy.

No

Yes

DescribeSecurityGroupAttribute

Queries security group rules.

Yes

Yes

DescribeSecurityGroups

Queries security groups.

Yes

Yes

DescribeSecurityGroupReferences

Queries whether a security group is referenced by other security groups.

Yes

Yes

CreateNetworkInterface

Creates an elastic network interface (ENI).

No

Yes

ModifyNetworkInterfaceAttribute

Modifies an ENI.

No

Yes

RunInstances

Creates one or more instances.

No

Yes

CreateInstance

Creates an instance.

No

Yes

ModifyInstanceAttribute

Modifies the security group to which an instance belongs.

No

Yes

References

  • Cloud Firewall of Alibaba Cloud provides software as a service (SaaS) firewalls in the public cloud to allow you to manage north-south traffic and east-west traffic in a centralized manner. You can use features such as traffic monitoring, fine-grained access control, and real-time intrusion prevention to comprehensively protect your network boundaries. For more information, see What is Cloud Firewall?

  • NAT Gateway is a NAT service that provides the DNAT and SNAT features. For more information, see What is NAT Gateway?