AWS IAM Policy
This page is only visible to organization administrators.
EntryGuard requires specific AWS IAM permissions to manage Security Group ingress rules. EntryGuard includes a built-in IAM Policy Generator that creates the exact policy you need based on your configured resources.
Using the IAM Policy Generator
Navigate to IAM Policy under the Admin section in the sidebar.
The page shows:
- Included Resources — A list of all AWS resources you've configured in EntryGuard, showing their resource type, name, and identifier (e.g., "Security Group — Production DB (sg-0abc123)")
- Generated Policy — The IAM policy JSON tailored to your specific resources
Click Copy to copy the policy to your clipboard, then apply it to your AWS IAM user.
If you see "No AWS resources configured", add resources on the Resources page first, then return here.
Minimum Required Permissions
| Permission | Purpose |
|---|---|
ec2:AuthorizeSecurityGroupIngress | Add IP whitelisting rules |
ec2:RevokeSecurityGroupIngress | Remove IP rules when sessions expire |
ec2:DescribeSecurityGroups | Verify Security Groups exist |
sts:GetCallerIdentity | Verify credentials during setup |
Setting Up the IAM User in AWS
1. Create IAM User
- Sign in to the AWS IAM Console
- Navigate to Users → Add users
- Enter username:
entryguard-service - Select Access key - Programmatic access
- Click Next: Permissions
2. Attach Policy
- Select Attach existing policies directly
- Click Create policy
- Switch to the JSON tab
- Paste the policy from EntryGuard's IAM Policy Generator page
- Click Next: Tags → Next: Review
- Name the policy:
EntryGuardSecurityGroupAccess - Click Create policy
- Go back and select the newly created policy
- Click Next: Tags → Next: Review → Create user
3. Save Credentials
- Copy the Access key ID
- Click Show and copy the Secret access key
- Add them as a credential in EntryGuard
The secret access key is only shown once. If you lose it, you'll need to create new credentials.
Restricting to Specific Security Groups
For enhanced security, modify the generated policy's Resource field to limit access to specific Security Groups:
{
"Resource": [
"arn:aws:ec2:eu-west-1:123456789012:security-group/sg-0abc123",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-0def456"
]
}
Note: ec2:DescribeSecurityGroups must remain with Resource: "*" (AWS limitation).
Best Practices
- Dedicated user — Create a separate IAM user for EntryGuard (no console access)
- Minimum permissions — Use the generated policy; don't grant additional permissions
- Rotate credentials — Rotate access keys every 90 days
- Monitor usage — Enable CloudTrail logging and review EntryGuard API calls
Next Steps
API Reference: For programmatic access, see Resources API.