- Newest
- Most votes
- Most comments
Hi there,
Managed policies make it faster and more convenient to assign the correct permissions to your resources to meet many common use cases. AWS managed policies don't grant least privilege permissions [1].
Depending on your use case a managed policy can contain more permissive permissions than what you require. If this is the case you can create a custom policy that is more restrictive or more permissive based on your requirements.
The permissions ec2:AssignPrivateIpAddresses and ec2:UnassignPrivateIpAddresses seen in the "AWSLambdaVPCAccessExecutionRole" policy gives the following permissions: AssignPrivateIpAddresses - Assigns one or more secondary private IP addresses to the specified network interface. UnassignPrivateIpAddresses - Unassigns one or more secondary private IP addresses, or IPv4 Prefix Delegation prefixes from a network interface.
At a minimum, your function needs access to Amazon CloudWatch Logs for log streaming. If your function calls other service APIs with the AWS SDK, you must include the necessary permissions in the execution role's policy [2].
When you associate a Lambda function with a VPC, an interface is created within the VPC where traffic from the Lambda function will egress towards other VPC resources. When all functions using this interface is deleted, the interface will also be deleted. When associating a lambda function with a VPC the following permissions are therefore required: ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:DeleteNetworkInterface Without these permissions on the Lambda execution role policy, the function cannot be associated with a VPC.
Associating the Lambda to the VPC does not require the following permissions which is included in the managed policy: ec2:AssignPrivateIpAddresses ec2:UnassignPrivateIpAddresses
Reference: [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-getting-started-managed.html [2] https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html
Relevant content
- asked 2 years ago
- asked 8 months ago
- asked a year ago
- asked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago