Giving access to AWS Lambda service with limited policy

Question

I am trying to follow this tutorial to setup a lambda function to shutdown/startup instances with a special tag added to ec2 instances.

The policy assigned to my role by Admin user gives me access to all lambda function e.g by

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:*",
        "cognito-identity:ListIdentityPools",
        "cognito-sync:GetCognitoEvents",
        "cognito-sync:SetCognitoEvents",
        "dynamodb:*",
        "events:*",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesis:PutRecord",
        "lambda:*",
        "logs:*",
        "s3:*",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ],
      "Resource": "*"
    }
  ]
}

I am stuck as step 6 while setting Lambda function handler and role while selecting "Basic execution role" with error

User: arn:aws:iam::xxxx:user/Yyyy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxx:role/lambda_basic_exec

My role policy looked sth like this:

   {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": "arn:aws:logs:*:*:*"
        },       
        { 
          "Effect": "Allow",
          "Action": [
            "ec2:Describe*",
            "ec2:Start*",
            "ec2:RunInstances",
            "ec2:Stop*",
           ],
           "Resource": "*"
        }
      ]
    }

That seems reasonable given my limited rights.

What should I ask my Admin to update policy assigned to me, so I can successfully set scheduled event for lambda function as described in tutorial ? Or this can be done in some other way around using IAM e.g by adding new role ? I want only sufficient rights.

Answer 1

As some time has passed since this question was answered and AWS changed a lot, I want to mention a new feature which was launched by AWS in 2018: Permissions Boundaries for IAM Entities [1].

They are used "to delegate permissions management to trusted employees" [2] and other IAM entities (such as roles).
That is, you do not need to grant a specific role admin-like permissions in order to create other roles as the accepted answer states. You may grant the role iam:CreateRole permission with a condition that requires a permission boundary being set on each newly created role: {"StringEquals": {"iam:PermissionsBoundary": "arn:aws:iam::111122223333:policy/XCompanyBoundaries"}}.

The policy which is specified by the permission boundary defines the maximum permission which are effectively assigned to the role. [1]

In order to create a role with a permission boundary you can e.g. use the optional parameter --permissions-boundary for the cli command aws iam create-role. [3]

References

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
[2] https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/
[3] https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html