I am following the aws documentation and created 3 security groups needed.
Now I am creating the cluster and it fails saying
Terminated with errorsAmazon EC2 permissions error when configuring required rules on securityGroup XXXXX.
What IAM permissions or other permissions I need to achieve this ?
Also how does a AWS service adds rules to the SG dynamically ? What permission does it need to achieve this ? Can it be more restrictive like the IAM roles/resources access?
Thanks,
If the service needs to modify security group rules, it must have the following permissions for the respective security groups:
"Effect": "Allow",
"Actions": [
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resources": [
"1st-security-group-arn",
"2nd-security-group-arn",
...
]
Note: Depending on what you're trying to do, it might also need "ec2:CreateSecurityGroup" and "ec2:DeleteSecurityGroup".
You can find the default permissions for the Amazon EMR Service Role in the documentation.
