Managed security groups are created by cloud service systems to ensure service availability. In scenarios where cloud resources are shared among multiple users and teams, managed security groups can prevent failures or security risks caused by user misoperation. This enhances the overall stability and security of cloud services. This topic describes managed security groups and the permissions on related API operations.
Background information
A security group created in managed mode is a managed security group. This mode is designed to resolve premission control issues for operations on security groups in cloud services, such as Network Load Balancer (NLB) and Secure Access Service Edge (SASE). Managed security groups are managed by cloud service systems. You can view managed security groups but cannot perform operations on them. The following section describes managed security groups.
Alibaba Cloud services use Security Token Service (STS) to grant permissions to Resource Access Management (RAM) roles of your account to create managed security groups. For information about STS, see What is STS?
In a cloud service console, you cannot perform operations on managed security groups but can view information about these security groups.
You can call only query API operations to access managed security groups. If you call an API operation to perform operations on a managed security group, an error message appears with the
InvalidOperation.ResourceManagedByCloudProducterror code. The error message indicates that the security group is managed by a cloud service system and you cannot perform operations on the security group. For information about the permissions, see the Permissions on API operations related to managed security groups section of this topic.
You can call the DescribeSecurityGroups operation to check whether the ServiceManaged parameter value of a security group is True. You can also check whether an error message similar to You cannot modify security groups managed by cloud services is displayed in the service console. If yes, the security group is a managed security group.
Permissions on API operations related to managed security groups
In the following table, × indicates that an operation is not supported and √ indicates that an operation is supported.
API operation | Description | Can be called by an Alibaba Cloud account | Can be called by the cloud service system that creates a managed security group |
| × | √ | |
| × | √ | |
Deletes an inbound rule from a security group. | × | √ | |
Deletes an outbound rule from a security group. | × | √ | |
Adds a resource to a security group. | × | √ | |
Removes a resource from a security group. | × | √ | |
Deletes a security group. | × | √ | |
Modifies a security group. | × | √ | |
Modifies an inbound rule of a security group. | × | √ | |
Modifies an outbound rule of a security group. | × | √ | |
Modifies the internal access control policy of a basic security group. | × | √ | |
Queries security group rules. | √ | √ | |
Queries security groups. | √ | √ | |
Queries the security groups whose rules reference security groups as authorization objects. | √ | √ | |
Creates an elastic network interface (ENI). | × | √ | |
Modifies an ENI. | × | √ | |
Creates multiple instances at a time. | × | √ | |
Creates an instance. | × | √ | |
Modifies the security groups to which an instance belongs. | × | √ |