I know that I can fix this policy with AWS managed role or wildcard on resource, but my question is: ¿How can I specify what is the resource performing those actions over ec2:?
I want to set specific lambda to perform those actions in my policy, like this. I've tried, but is throwing same error above, it only works if I place * for resource.
{
Action = [
"ec2:AttachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute",
]
Effect = "Allow"
Resource = "arn:aws:lambda:<region>:<acc_id>:function:myfunction"
}
First of all, when defining an IAM policy, the Resource is where these actions are applied to, rather than who can perform these actions. So the Resource here wouldn't be a lambda, but would be some EC2 resources. The resource that performs these actions (your lambda) is where you attach the IAM role.
That being said, not all EC2 actions have resource-level permissions, and DescribeNetworkInterfaces is one that doesn't. This means that you wouldn't be able to specify a specific resource for this action, and have to use '*'.
References:
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html