How to resolve not authorized to perform: ec2:DescribeInstances error

Question

I am running a lambda function to get the security group of instances.  Here is part of the lambda function that is failing

def get_security_groups(instance_id):
    try:
        response = ec2.describe_instances(InstanceIds=[instance_id])
        if response['Reservations']:
            instance = response['Reservations'][0]['Instances'][0]
            security_groups = instance.get('SecurityGroups', [])
            return ', '.join([sg['GroupName'] for sg in security_groups])
    except Exception as e:
        print(f"Couldn't get security groups for {instance_id}: {str(e)}")
    return "N/A"

I am getting the following message:
Couldn't get security groups for i-06cdcfd2b0a9c78eb: An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation. User: arn:aws:sts::149536494602:assumed-role/SecurityHubTopIssuesReport-role-1j5t9plr/SecurityHubTopIssuesReport is not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action

Any policy recommended for this error or does anyone know how to resolve the issue?

re:Post Agent · Accepted Answer

To resolve the "not authorized to perform: ec2:DescribeInstances" error, you need to update the IAM permissions for the Lambda function's execution role. The error message indicates that the current role (SecurityHubTopIssuesReport-role-1j5t9plr) does not have the necessary permissions to perform the ec2:DescribeInstances action.

Here's how you can resolve this issue:

1. Open the IAM console in AWS.

2. Locate the role associated with your Lambda function (SecurityHubTopIssuesReport-role-1j5t9plr).

3. In the Permissions tab for this role, you need to add a policy that allows the ec2:DescribeInstances action. You can either edit an existing policy or create a new one.

4. If creating a new policy, you can use a policy similar to this:

{
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": "ec2:DescribeInstances",
         "Resource": "*"
       }
     ]
   }

5. After adding or updating the policy, save the changes.

6. Redeploy your Lambda function to ensure it picks up the new permissions.

If you want to limit the scope of the permissions, you can replace the "*" in the "Resource" field with specific ARNs of the EC2 instances you want to describe.

Remember, it's a best practice to follow the principle of least privilege and only grant the minimum permissions necessary for your function to operate.

If you continue to experience issues after updating the policy, you may want to use the AWS CLI command "aws sts get-caller-identity" to verify that your Lambda function is using the correct role, and double-check that the policy has been correctly applied and saved.

If the problem persists, you might want to check if there are any permission boundaries or service control policies in place that could be restricting access, as these can override identity-based policies.  
**Sources**  
[Resolve IAM permission errors in CloudFormation | AWS re:Post](https://repost.aws/knowledge-center/cfn-troubleshoot-iam-permission-errors)  
[AWS was not able to validate the provided access credentials | AWS re:Post](https://repost.aws/questions/QUZzKGovlrS-2DZ26mOBRN4A/aws-was-not-able-to-validate-the-provided-access-credentials)  
[Troubleshoot EC2 instance profile errors for IAM roles | AWS re:Post](https://repost.aws/knowledge-center/iam-role-instance-profile)

How to resolve not authorized to perform: ec2:DescribeInstances error

Add your answer

Relevant content