Restrict Lambda DeleteNetworkInterface Permission?

Question

When adding Lambda to VPC, it is required to have `DeleteNetworkInterface` permission,
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                ......
                "ec2:DeleteNetworkInterface",
            ],
            "Resource": "*"
        }
    ]
}
```

However, we feel it's a bit risky to use unconditioned `DeleteNetworkInterface`. What we currently do is to add a tag to the Lambda, e.g., `{"canDeleteENI": "true"}`, then add a condition to Lambda's execution role,
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteNetworkInterface",
      ],
      "Resource": "*",
      "Condition": {
         "StringEquals": {
            "aws:ResourceTag/canDeleteENI": "true"
         }
       }
     }
  ]
}
```
Will this work? for example, allowing the Lambda delete it only when created by the same Lambda? If not, any suggestions to restrict DeleteNetworkInterface permission for Lambda?
thanks!

Answer

Hello,

Tim here with the AWS Support Team. This may be possible, however it’d call for a test to be sure.

What I’d like to ask is if you can open a case with our EC2 team. Specifically, that permission applies to ENI items yes, however the permission is an EC2 specific permission that Lambda so happens to use itself (when connect to a VPC), so the permission isn’t necessarily specific to Lambda. Here is a link to get started: https://console.aws.amazon.com/support/home#/case/create?issueType=technical

Restrict Lambda DeleteNetworkInterface Permission?

Relevant questions

AWS Lambda: You do not have sufficient permission. Access denied

How to have a websocket connection to lambda in a green grass core

Is the permission DetachNetworkInterfaces reasonable?