AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Resource handler returned message: "The provided execution role does not have permissions to call CreateNetworkInterface on EC2 (Service: Lambda, Status Code: 400,

0

I've tried these approaches but I still get the error "The provided execution role does not have permissions to call CreateNetworkInterface on EC2 (Service: Lambda, Status Code: 400" And if I use the wildcard I don't pass cfn_nag checks. How can I resolve this issue?

 
  - Effect: Allow
                  Action:
                  - ec2:CreateNetworkInterface 
                  - ec2:DescribeNetworkInterfaces
                  - ec2:DeleteNetworkInterface 
                  Resource:
                  #- !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/${NetworkInterfaceId}"
                  #- "*"
                  #- !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*"
                   - !Join
                    - ''
                    - - 'arn:aws:ec2:'
                      - !Ref 'AWS::Region'
                      - ':'
                      - !Ref 'AWS::AccountId'
                      - ':network-interface/'
                      - !Ref 'NetworkInterfaceId'
주제
서버리스컴퓨팅관리 및 거버넌스보안, 신원 및 규정 준수
태그
AWS LambdaAWS CloudFormation아마존 EC2IAM 정책
언어
English
profile picture
marinkie
질문됨 10달 전2623회 조회
1개 답변
2

This is a very common challenge every org/individual face. I understand wildcard would not be permitted based on security policy etc. but it should be understood this way that, when lambda would create ENI, post execution, when it'd need to release the ENI, it'd attempt to delete the detached ENI but every time detached ENI ID would be different and any resource pattern wouldn't work, ENI would not be deleted. Hence "*" is the only accepted and working option for ENI case.

This needs to be added in exception list and be accepted with the fact that only "*" is option as resource for "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface" action. If you don't include "ec2:DeleteNetworkInterface", then detatched ENI would keep IP allocated and IP addresses in that subnet would be depleted over time and you would fall into bigger problem account wise.

Following is the policy sample to get it worked, provided cfn check should be disabled or accept it as risk let build be succeeded:

     {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Effect": "Allow",
           "Action": [
             "ec2:DescribeNetworkInterfaces",
             "ec2:CreateNetworkInterface",
             "ec2:DeleteNetworkInterface",
           ],
           "Resource": "*"
         }
       ]
     }

Lambda function execution role must have these permissions, no exceptions.

Edit: Can you check if by adding AWS Managed policy "AWSLambdaVPCAccessExecutionRole" to lambda function execution role, cfn_nag check also passes.

Here is how you can try:

  1. In your cloudformation, create a lambda service role
  2. Include AWS Managed Policy "AWSLambdaVPCAccessExecutionRole" to this role
  3. Attach this role to your lambda function.

This should pass cfn_nag checks as in cloudformation, nowhere you are adding those permissions with "*".

If the answer is helpful, please click "Accept Answer" and upvote it.

profile pictureAWS
전문가
secondabhi_aws
답변함 10달 전
  • secondabhi_aws 전문가
    10달 전

    Hi Marinkie, please check the edit section of my answer and see if it helps.

  • secondabhi_aws 전문가
    10달 전

    Hi Marinkie, Did you try, what I recommended in edit section. Please comment here how it went.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠