I am creating a lambda function that will send emails (nothing new). I am having issues with the policy that I am creating. TFSec busted me with a the Resource meta-attribute and indicated that "*" isn't allowed. So all I am trying to do is limit my policy to my lambda function. I figured I could dynamically create the ARN as i have done in the past. Well, the only way I found that it works is leveraging the "condition" meta-attribute BUT..., when I used the condition, I get this error:
│ Error: error creating Lambda Function (1): InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2
│ { │ RespMetadata: { │ StatusCode: 400, │ RequestID: "3b8fc1dd-21d8-xxxx-xxx-xxxxxxx" │ }, │ Message_: "The provided execution role does not have permissions to call CreateNetworkInterface on EC2", │ Type: "User" │ }
Whats killing me is that the permission is set in my policy, see below:
resource "aws_iam_role_policy" "lambda_sendmail_policy" {
name = "lambda-sendmail"
role = aws_iam_role.lambda_sendmail_role.id
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "Stmt163546987325",
"Effect" : "Allow",
"Action" : [
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"autoscaling:CompleteLifecycleAction"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"lambda:FunctionArn" : "arn:aws:lambda:us-east-1:${local.accountid}:function:${var.appenv}-${var.lambda_appname}"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource" : [
"arn:aws:logs:us-east-1:${local.accountid}:log-group:/aws/lambda/*"
]
},
{
"Effect" : "Allow",
"Action" : [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource" : "*"
}
]
})
}
Clearly the permission is there but I am passing the Lambda ARN incorrectly need some help here.
If I remove the condition it works but TFSEC catches me telling me that I need to specify the resource.
I am not sure if Lambda is supported by the condition attribute but any help here woudl be great.
CodePudding user response:
You can't put this condition for the ec2 actions mentioned:
"Condition" : {
"StringEquals" : {
"lambda:FunctionArn" : "arn:aws:lambda:us-east-1:${local.accountid}:function:${var.appenv}-${var.lambda_appname}"
}
}
The condition to use for most of those ec2:* actions is...
"Condition": {
"ArnLikeIfExists": {
"ec2:Vpc": "your_vpc_arn"
}
}
This block limits the permission to the vpc shared by the function and fails to true for certain lambda actions like creation/update where the api calls don't include the vpc arn. This is about as tight as you can get this policy.
I'd move autoscaling to it's own block also, because you can definitely tighten that up.