- Newest
- Most votes
- Most comments
Hello,
Tim here with the AWS Support Team. This may be possible, however it’d call for a test to be sure.
What I’d like to ask is if you can open a case with our EC2 team. Specifically, that permission applies to ENI items yes, however the permission is an EC2 specific permission that Lambda so happens to use itself (when connect to a VPC), so the permission isn’t necessarily specific to Lambda. Here is a link to get started: https://console.aws.amazon.com/support/home#/case/create?issueType=technical
Hello,
After some investigation, I came up with the solution bellow. It restricts the permissions for Lambda to create/delete ENIs in a VPC:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeNetworkInterfaces",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:REGION:ACCOUNT:network-interface/*",
"arn:aws:ec2:REGION:ACCOUNT:subnet/PRIVATE_SUBNET_ID_1",
"arn:aws:ec2:REGION:ACCOUNT:subnet/PRIVATE_SUBNET_ID_2"
"arn:aws:ec2:REGION:ACCOUNT:security-group/LAMBDA_SG_ID"
]
}
{
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkInterface",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"ec2:Subnet": [
"arn:aws:ec2:REGION:ACCOUNT:subnet/PRIVATE_SUBNET_ID_1",
"arn:aws:ec2:REGION:ACCOUNT:subnet/PRIVATE_SUBNET_ID_2"
]
}
}
}
]
}
Let me explain the relevant parts:
- For
CreateNetworkInterface
, you need to add the 3 types of resource ARNs:network-interface
,subnet
andsecurity-group
- For
DeleteNetworkInterface
, you need to useStringEqualsIfExists
(and NOTStringEquals
)- The reason is that, when you change the Lambda VPC configuration via the AWS Console, the console will internally call
DeleteNetworkInterface
withDryRun
to test the permissions (you can check this via CloudTrail). However,DryRun
calls don't set theec2:Subnet
condition key. So if you are usingStringEquals
, the call will get permission denied and the console will return an error.
- The reason is that, when you change the Lambda VPC configuration via the AWS Console, the console will internally call
AssignPrivateIpAddresses
andUnassignPrivateIpAddresses
are also necessary- I guess in some circumstances (e.g. high concurrence and/or multiple functions sharing the same ENI) Lambda need to add more IPs to an ENI
Tips:
- If you want to know the IAM condition keys that you can use for a given action, this link can help you: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
- If you observe IAM permission denied issues, this link may help you: https://docs.aws.amazon.com/cli/latest/reference/sts/decode-authorization-message.html
In your case, your idea was to use a tag like aws:ResourceTag/canDeleteENI
. The issue with this approach is that Lambda may dynamically create new ENIs, and they will not be tagged when created (at the moment I created this answer, Lambda didn't have a feature to tag ENIs via inheritance), so Lambda will not be able to delete them.
In this case, you may want to configure all of your Lambdas to use a set of private subnets (separated from other critical applications), reducing the blast radius in case of an issue.
Relevant content
- Accepted Answerasked 2 years ago
- asked 5 years ago
- AWS OFFICIALUpdated a year ago
- What's the difference between Lambda function execution role permissions and invocation permissions?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago