Restrict Lambda DeleteNetworkInterface Permission?
When adding Lambda to VPC, it is required to have DeleteNetworkInterface
permission,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
......
"ec2:DeleteNetworkInterface",
],
"Resource": "*"
}
]
}
However, we feel it's a bit risky to use unconditioned DeleteNetworkInterface
. What we currently do is to add a tag to the Lambda, e.g., {"canDeleteENI": "true"}
, then add a condition to Lambda's execution role,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkInterface",
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/canDeleteENI": "true"
}
}
}
]
}
Will this work? for example, allowing the Lambda delete it only when created by the same Lambda? If not, any suggestions to restrict DeleteNetworkInterface permission for Lambda? thanks!
Hello,
Tim here with the AWS Support Team. This may be possible, however it’d call for a test to be sure.
What I’d like to ask is if you can open a case with our EC2 team. Specifically, that permission applies to ENI items yes, however the permission is an EC2 specific permission that Lambda so happens to use itself (when connect to a VPC), so the permission isn’t necessarily specific to Lambda. Here is a link to get started: https://console.aws.amazon.com/support/home#/case/create?issueType=technical
Relevant questions
lambda permissions: source arn cannot have wildcard for region
asked 2 months agohttp authorizer lambda permissions
Accepted Answerasked 2 months agoVPC Endpoint access via Lambda isn't filterable by Policy
Accepted Answerasked 2 years agoIs the permission DetachNetworkInterfaces reasonable?
asked 3 years agoAn error occurred (InvalidRequestException) when calling the CreateProvisioningTemplate operation: Access denied during validating provisioning hook, Hook: arn:aws:lambda:ap-southeast-2::f
Accepted Answerasked 3 months agoRestrict Lambda DeleteNetworkInterface Permission?
asked a month agoCannot launch MySQL 5.6 from S3 - S3_SNAPSHOT_INGESTION
asked 4 years agoinvoke permission error on lambda ALB target group
asked 3 years agoCloudwatch logs subscription error
asked 3 years agoLambda in VPC can't access S3
asked 2 months ago