Giving access to AWS Lambda service with limited policy

8
votes

I am trying to follow this tutorial to setup a lambda function to shutdown/startup instances with a special tag added to ec2 instances.

The policy assigned to my role by Admin user gives me access to all lambda function e.g by

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:*",
        "cognito-identity:ListIdentityPools",
        "cognito-sync:GetCognitoEvents",
        "cognito-sync:SetCognitoEvents",
        "dynamodb:*",
        "events:*",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesis:PutRecord",
        "lambda:*",
        "logs:*",
        "s3:*",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ],
      "Resource": "*"
    }
  ]
}

I am stuck as step 6 while setting Lambda function handler and role while selecting "Basic execution role" with error

User: arn:aws:iam::xxxx:user/Yyyy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxx:role/lambda_basic_exec

My role policy looked sth like this:

   {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": "arn:aws:logs:*:*:*"
        },       
        { 
          "Effect": "Allow",
          "Action": [
            "ec2:Describe*",
            "ec2:Start*",
            "ec2:RunInstances",
            "ec2:Stop*",
           ],
           "Resource": "*"
        }
      ]
    }

That seems reasonable given my limited rights.

What should I ask my Admin to update policy assigned to me, so I can successfully set scheduled event for lambda function as described in tutorial ? Or this can be done in some other way around using IAM e.g by adding new role ? I want only sufficient rights.

2
amazon-web-servicesaws-lambdaamazon-iam

2 Answers

5
votes

you have a security constraint, as you would need the "iam:CreateRole" in your policy, along with something like "iam:attachRolePolicy" and "iam:createPolicy". So with that you would basically be admin of your account, as you could create roles with any policy and attach it to an EC2 instance or assume it directly.

What you could do is having your admin create one or several roles for lambda, e.g one for S3 access, one for ec2 commands etc. When you want then to create a lambda function, choose one of these pre-created roles instead of creating a new one.

6
votes

As some time has passed since this question was answered and AWS changed a lot, I want to mention a new feature which was launched by AWS in 2018: Permissions Boundaries for IAM Entities [1].

They are used "to delegate permissions management to trusted employees" [2] and other IAM entities (such as roles).
That is, you do not need to grant a specific role admin-like permissions in order to create other roles as the accepted answer states. You may grant the role iam:CreateRole permission with a condition that requires a permission boundary being set on each newly created role: {"StringEquals": {"iam:PermissionsBoundary": "arn:aws:iam::111122223333:policy/XCompanyBoundaries"}}.

The policy which is specified by the permission boundary defines the maximum permission which are effectively assigned to the role. [1]

In order to create a role with a permission boundary you can e.g. use the optional parameter --permissions-boundary for the cli command aws iam create-role. [3]

References

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
[2] https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/
[3] https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html