Lambda creating ENI everytime it is invoked: Hitting limit

Question

My Lambda accesses resources on my VPC so as instructed in the documentation I've given the Lambda a role to create network interfaces. I was under the assumption that the ENI is reused but looks like every invocation is creating a new ENI which caused to throw an error

Lambda was not able to create an ENI in the VPC of the Lambda function because the limit for Network Interfaces has been reached.

I searched google but couldn't find the best way to solve this issue. Apart from manually deleting these ENIs periodically is there a better way?

Answer 1

As Mark suggested, the issue was my AWS Lambda didn't have the DeleteNetworkInterface Action specified in the role(Policy) that the lambda was set to. By giving the appropriate policy the Lambda now detaches and deletes the ENI when done.

        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:CreateNetworkInterface",
                "ec2:AttachNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ResetNetworkInterfaceAttribute",
                "autoscaling:CompleteLifecycleAction"
            ]
        }

Answer 2

The official line from AWS (via their docs and a support ticket) is to use the AWS-managed policy AWSLambdaVPCAccessExecutionRole.

Excerpt from a private support ticket:

The role you are using in your Lambda function has an attached policy "AWSLambdaVPCAccessExecutionRole", which is an AWS managed policy for VPC-enabled Lambda functions. This policy contains all needed permissions and may be updated in future if new permissions are needed due to updates to the service.

It is also worth noting that it can sometimes take several hours for detached ENIs to be reaped.