Home > OS >  AWS IAM Policy Assistance with Lambda Permissions for SMTP
AWS IAM Policy Assistance with Lambda Permissions for SMTP

Time:01-24

I am creating a lambda function that will send emails (nothing new). I am having issues with the policy that I am creating. TFSec busted me with a the Resource meta-attribute and indicated that "*" isn't allowed. So all I am trying to do is limit my policy to my lambda function. I figured I could dynamically create the ARN as i have done in the past. Well, the only way I found that it works is leveraging the "condition" meta-attribute BUT..., when I used the condition, I get this error:

│ Error: error creating Lambda Function (1): InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2

│ { │ RespMetadata: { │ StatusCode: 400, │ RequestID: "3b8fc1dd-21d8-xxxx-xxx-xxxxxxx" │ }, │ Message_: "The provided execution role does not have permissions to call CreateNetworkInterface on EC2", │ Type: "User" │ }

Whats killing me is that the permission is set in my policy, see below:

  resource "aws_iam_role_policy" "lambda_sendmail_policy" {
  name = "lambda-sendmail"
  role = aws_iam_role.lambda_sendmail_role.id
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Sid" : "Stmt163546987325",
        "Effect" : "Allow",
        "Action" : [
          "ec2:DescribeInstances",
          "ec2:CreateNetworkInterface",
          "ec2:AttachNetworkInterface",
          "ec2:DescribeNetworkInterfaces",
          "ec2:DeleteNetworkInterface",
          "autoscaling:CompleteLifecycleAction"
        ],
        "Resource" : "*",
        "Condition" : {
          "StringEquals" : {
            "lambda:FunctionArn" : "arn:aws:lambda:us-east-1:${local.accountid}:function:${var.appenv}-${var.lambda_appname}"
          }
        }
      },
      {
        "Effect" : "Allow",
        "Action" : [
          "logs:PutLogEvents",
          "logs:CreateLogStream"
        ],
        "Resource" : [
          "arn:aws:logs:us-east-1:${local.accountid}:log-group:/aws/lambda/*"
        ]
      },
      {
        "Effect" : "Allow",
        "Action" : [
          "xray:PutTraceSegments",
          "xray:PutTelemetryRecords"
        ],

        "Resource" : "*"

      }
    ]
  })
}

Clearly the permission is there but I am passing the Lambda ARN incorrectly need some help here.

If I remove the condition it works but TFSEC catches me telling me that I need to specify the resource.

I am not sure if Lambda is supported by the condition attribute but any help here woudl be great.

CodePudding user response:

You can't put this condition for the ec2 actions mentioned:

"Condition" : {
      "StringEquals" : {
        "lambda:FunctionArn" : "arn:aws:lambda:us-east-1:${local.accountid}:function:${var.appenv}-${var.lambda_appname}"
      }
    }

The condition to use for most of those ec2:* actions is...

"Condition": {
    "ArnLikeIfExists": {
      "ec2:Vpc": "your_vpc_arn"
    }
  }

This block limits the permission to the vpc shared by the function and fails to true for certain lambda actions like creation/update where the api calls don't include the vpc arn. This is about as tight as you can get this policy.

I'd move autoscaling to it's own block also, because you can definitely tighten that up.

Page link:https//www.codepudding.com/os/681391.html

Prev:On Copying S3 "CopyObject operation: Access Denied"
Next:AWS ALB: How do I redirect to another domain
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding