critical issue operating within a VPC due to incorrect IAM privileges
ahl opened this issue · 5 comments
My colleague got the following note from AWS support today:
Subject: Action required for AWS Account: XXX: Please update the IAM role (execution role) associated with your Lambda functions
We have detected an IAM role configuration problem that can cause unused Elastic Network interfaces (ENIs) to accumulate in your AWS account. AWS Lambda functions configured for Amazon VPC access set up an ENIs in your VPC to securely access other resources within your private VPC. The Lambda function execution role must have permissions to create, describe, and delete these ENIs. If the role does not have permission to delete ENIs, then Lambda cannot clean up ENIs after use.
It goes on to explain that while the Lambda's roles has ec2:CreateNetworkInterface it lacks ec2:DeleteNetworkInterface and ec2:DescribeNetworkInterfaces which are necessary for proper maintenance.
AWS has a new(?) policy for running Lambdas within a VPC: AWSLambdaENIManagementAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}Gordon should include those privileges in its default profile. We've accepted the PR in our fork: https://github.com/transposit/gordon/pull/2
+1 - this is breaking my deployment process that uses vpcs. Please merge.
I think this project is dead; we have a fork here with some useful fixes:
https://github.com/transposit/gordon
But we're in the process of migrating off of Gordon.
Really? What do you use instead?
We're just using Terraform. While Gordon is super convenient for stand-alone entities, we found it awkward to have parts of our deployment managed by Gordon and other parts managed by Terraform. In particular have dependencies from Gordon to the Terraform-managed VPC config (apropos of this issue...).
note that this is fixed by https://github.com/jorgebastida/gordon/pull/141/files