Is the permission DetachNetworkInterfaces reasonable?

Question

If you run an AWS Lambda function in a VPC, does it make sense to add the action DetachNetworkInferace to the IAM role?  
  
We run all of our Lambda function within a VPC. It is my understanding that in this case the function needs an ENI to access VPC resources. To enable this we attach the AWS managed policy AWSLambdaVPCAccessExecutionRole to the functions. While browsing the permission I noticed that the action DetachNetworkInterface is missing.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
        }
    ]
}
```

How can the container that runs the function delete the ENI if it can't detach the ENI?  
  
This is a bit of deep dive question, but I am just curious about the internals of AWS Lambda.

Answer

Hello,  
  
AWS Lambda is a managed service, the operations of attaching/detaching the network interfaces are taken care of internally. As this is internal information, we cannot provide much details related to this. However, we need the create and delete permissions because these ENIs are created in your account and would require permissions for the same.   
  
I hope this answers your query. Please let us know if you have any other queries.

Answer

Thanks!

Is the permission DetachNetworkInterfaces reasonable?

Relevant content