search

jorgebastida / gordon

λ Gordon is a tool to create, wire and deploy AWS Lambdas using CloudFormation
Other
2.04k stars 137 forks source link

critical issue operating within a VPC due to incorrect IAM privileges #119

Closed ahl closed 6 years ago

ahl commented 7 years ago

My colleague got the following note from AWS support today:

Subject: Action required for AWS Account: XXX: Please update the IAM role (execution role) associated with your Lambda functions

We have detected an IAM role configuration problem that can cause unused Elastic Network interfaces (ENIs) to accumulate in your AWS account. AWS Lambda functions configured for Amazon VPC access set up an ENIs in your VPC to securely access other resources within your private VPC. The Lambda function execution role must have permissions to create, describe, and delete these ENIs. If the role does not have permission to delete ENIs, then Lambda cannot clean up ENIs after use.

It goes on to explain that while the Lambda's roles has ec2:CreateNetworkInterface it lacks ec2:DeleteNetworkInterface and ec2:DescribeNetworkInterfaces which are necessary for proper maintenance.

AWS has a new(?) policy for running Lambdas within a VPC: AWSLambdaENIManagementAccess

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

Gordon should include those privileges in its default profile. We've accepted the PR in our fork: https://github.com/transposit/gordon/pull/2

crazyprimes commented 7 years ago

+1 - this is breaking my deployment process that uses vpcs. Please merge.

ahl commented 7 years ago

I think this project is dead; we have a fork here with some useful fixes:

https://github.com/transposit/gordon

But we're in the process of migrating off of Gordon.

crazyprimes commented 7 years ago

Really? What do you use instead?

ahl commented 7 years ago

We're just using Terraform. While Gordon is super convenient for stand-alone entities, we found it awkward to have parts of our deployment managed by Gordon and other parts managed by Terraform. In particular have dependencies from Gordon to the Terraform-managed VPC config (apropos of this issue...).

ahl commented 6 years ago

note that this is fixed by https://github.com/jorgebastida/gordon/pull/141/files