What's the correct IAM Policy to allow users add Ingress/Egress rules in a VPC security Group

Question

I have tried this, but it fails on the IAM Policy Simulator.
Got this policy from AWS docs.

{
"Version": "2012-10-17",
  "Statement":[{
    "Effect":"Allow",
    "Action": [
       "ec2:AuthorizeSecurityGroupIngress",
       "ec2:AuthorizeSecurityGroupEgress",
       "ec2:RevokeSecurityGroupIngress",
       "ec2:RevokeSecurityGroupEgress"],
     "Resource": "arn:aws:ec2:us-east-1:Account-Number:security-group/*",
      "Condition": {
        "StringEquals": {
          "ec2:Vpc": "arn:aws:ec2:us-east-1:Account-Number:vpc/vpc-id"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeSecurityGroups",
      "Resource": "*"
    }
  ]
}

Answer 1

I've successfully tested the referenced IAM policy via the IAM Policy Simulator - the policy simulator can be quite picky/tricky though and it took me a few attempts to get it right as well, here's what to look out for:

1. Obviously you need to replace Account-Number and vpc-id in the policy with the actual values from your AWS account - presumably you did this already.
2. Since you have created a policy for a specific Resource arn:aws:ec2:us-east-1:Account-Number:security-group/*, you need to ensure to also enter the identical Amazon Resource Name (ARN) as the value for Resource in the Simulation Settings.
3. Similarly, since you have created a policy with a specific Condition, the simulator asks to enter a value for the ec2:Vpc condition key in the Simulation Settings - you need to ensure to enter a full ARN as the value here rather than just the VPC id itself, i.e. something like arn:aws:ec2:us-east-1:Account-Number:vpc/vpc-12345678 rather than just vpc-12345678!