By using AWS re:Post, you agree to the Terms of Use

Restrict Lambda DeleteNetworkInterface Permission?

0

When adding Lambda to VPC, it is required to have DeleteNetworkInterface permission,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                ......
                "ec2:DeleteNetworkInterface",
            ],
            "Resource": "*"
        }
    ]
}

However, we feel it's a bit risky to use unconditioned DeleteNetworkInterface. What we currently do is to add a tag to the Lambda, e.g., {"canDeleteENI": "true"}, then add a condition to Lambda's execution role,

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteNetworkInterface",
      ],
      "Resource": "*",
      "Condition": {
         "StringEquals": {
            "aws:ResourceTag/canDeleteENI": "true"
         }
       }
     }
  ]
}

Will this work? for example, allowing the Lambda delete it only when created by the same Lambda? If not, any suggestions to restrict DeleteNetworkInterface permission for Lambda? thanks!

1 Answer
0

Hello,

Tim here with the AWS Support Team. This may be possible, however it’d call for a test to be sure.

What I’d like to ask is if you can open a case with our EC2 team. Specifically, that permission applies to ENI items yes, however the permission is an EC2 specific permission that Lambda so happens to use itself (when connect to a VPC), so the permission isn’t necessarily specific to Lambda. Here is a link to get started: https://console.aws.amazon.com/support/home#/case/create?issueType=technical

SUPPORT ENGINEER
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions