By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Resource handler returned message: "The provided execution role does not have permissions to call CreateNetworkInterface on EC2 (Service: Lambda, Status Code: 400,

0

I've tried these approaches but I still get the error "The provided execution role does not have permissions to call CreateNetworkInterface on EC2 (Service: Lambda, Status Code: 400" And if I use the wildcard I don't pass cfn_nag checks. How can I resolve this issue?

 
  - Effect: Allow
                  Action:
                  - ec2:CreateNetworkInterface 
                  - ec2:DescribeNetworkInterfaces
                  - ec2:DeleteNetworkInterface 
                  Resource:
                  #- !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/${NetworkInterfaceId}"
                  #- "*"
                  #- !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*"
                   - !Join
                    - ''
                    - - 'arn:aws:ec2:'
                      - !Ref 'AWS::Region'
                      - ':'
                      - !Ref 'AWS::AccountId'
                      - ':network-interface/'
                      - !Ref 'NetworkInterfaceId'
Topics
ServerlessComputeManagement & GovernanceSecurity, Identity, & Compliance
Tags
AWS LambdaAWS CloudFormationAmazon EC2IAM Policies
Language
English
profile picture
marinkie
asked 10 months ago2441 views
1 Answer
2

This is a very common challenge every org/individual face. I understand wildcard would not be permitted based on security policy etc. but it should be understood this way that, when lambda would create ENI, post execution, when it'd need to release the ENI, it'd attempt to delete the detached ENI but every time detached ENI ID would be different and any resource pattern wouldn't work, ENI would not be deleted. Hence "*" is the only accepted and working option for ENI case.

This needs to be added in exception list and be accepted with the fact that only "*" is option as resource for "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface" action. If you don't include "ec2:DeleteNetworkInterface", then detatched ENI would keep IP allocated and IP addresses in that subnet would be depleted over time and you would fall into bigger problem account wise.

Following is the policy sample to get it worked, provided cfn check should be disabled or accept it as risk let build be succeeded:

     {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Effect": "Allow",
           "Action": [
             "ec2:DescribeNetworkInterfaces",
             "ec2:CreateNetworkInterface",
             "ec2:DeleteNetworkInterface",
           ],
           "Resource": "*"
         }
       ]
     }

Lambda function execution role must have these permissions, no exceptions.

Edit: Can you check if by adding AWS Managed policy "AWSLambdaVPCAccessExecutionRole" to lambda function execution role, cfn_nag check also passes.

Here is how you can try:

  1. In your cloudformation, create a lambda service role
  2. Include AWS Managed Policy "AWSLambdaVPCAccessExecutionRole" to this role
  3. Attach this role to your lambda function.

This should pass cfn_nag checks as in cloudformation, nowhere you are adding those permissions with "*".

If the answer is helpful, please click "Accept Answer" and upvote it.

profile pictureAWS
EXPERT
secondabhi_aws
answered 10 months ago
  • secondabhi_aws EXPERT
    10 months ago

    Hi Marinkie, please check the edit section of my answer and see if it helps.

  • secondabhi_aws EXPERT
    9 months ago

    Hi Marinkie, Did you try, what I recommended in edit section. Please comment here how it went.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content