Restrict Lambda DeleteNetworkInterface Permission?

Hello,

Tim here with the AWS Support Team. This may be possible, however it’d call for a test to be sure.

What I’d like to ask is if you can open a case with our EC2 team. Specifically, that permission applies to ENI items yes, however the permission is an EC2 specific permission that Lambda so happens to use itself (when connect to a VPC), so the permission isn’t necessarily specific to Lambda. Here is a link to get started: https://console.aws.amazon.com/support/home#/case/create?issueType=technical

Hello,

After some investigation, I came up with the solution bellow. It restricts the permissions for Lambda to create/delete ENIs in a VPC:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeNetworkInterfaces",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:REGION:ACCOUNT:network-interface/*",
                "arn:aws:ec2:REGION:ACCOUNT:subnet/PRIVATE_SUBNET_ID_1",
                "arn:aws:ec2:REGION:ACCOUNT:subnet/PRIVATE_SUBNET_ID_2"
                "arn:aws:ec2:REGION:ACCOUNT:security-group/LAMBDA_SG_ID"
            ]
        }
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteNetworkInterface",
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignPrivateIpAddresses"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIfExists": {
                    "ec2:Subnet": [
                        "arn:aws:ec2:REGION:ACCOUNT:subnet/PRIVATE_SUBNET_ID_1",
                        "arn:aws:ec2:REGION:ACCOUNT:subnet/PRIVATE_SUBNET_ID_2"
                    ]
                }
            }
        }
    ]
}

Let me explain the relevant parts:

• For CreateNetworkInterface, you need to add the 3 types of resource ARNs: network-interface, subnet and security-group
• For DeleteNetworkInterface, you need to use StringEqualsIfExists (and NOT StringEquals)
  • The reason is that, when you change the Lambda VPC configuration via the AWS Console, the console will internally call DeleteNetworkInterface with DryRun to test the permissions (you can check this via CloudTrail). However, DryRun calls don't set the ec2:Subnet condition key. So if you are using StringEquals, the call will get permission denied and the console will return an error.
• AssignPrivateIpAddresses and UnassignPrivateIpAddresses are also necessary
  • I guess in some circumstances (e.g. high concurrence and/or multiple functions sharing the same ENI) Lambda need to add more IPs to an ENI

Tips:

• If you want to know the IAM condition keys that you can use for a given action, this link can help you: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
• If you observe IAM permission denied issues, this link may help you: https://docs.aws.amazon.com/cli/latest/reference/sts/decode-authorization-message.html

In your case, your idea was to use a tag like aws:ResourceTag/canDeleteENI. The issue with this approach is that Lambda may dynamically create new ENIs, and they will not be tagged when created (at the moment I created this answer, Lambda didn't have a feature to tag ENIs via inheritance), so Lambda will not be able to delete them.

In this case, you may want to configure all of your Lambdas to use a set of private subnets (separated from other critical applications), reducing the blast radius in case of an issue.