AWS

LambdaEC2AccessDeniedException - Lambda EC2 Access Denied

Getting a **LambdaEC2AccessDeniedException** means your Lambda function can't access VPC or EC2 resources—the Lambda execution role lacks EC2 permissions to create/manage network interfaces, or security groups/NACLs are blocking access. This client-side error (4xx) happens when AWS validates Lambda VPC permissions. Most common when Lambda execution role lacks EC2 permissions, but also appears when security group rules are too restrictive, network ACLs block access, route tables are misconfigured, or ENI creation fails.

#Common Causes

→Identity: Lambda execution role lacks EC2 permissions (ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DeleteNetworkInterface). IAM policy doesn't allow VPC access. Service Control Policy (SCP) restricts EC2 access.
→Network: Security group rules too restrictive. Network ACL blocking access. Route table misconfiguration. VPC endpoint restrictions.
→Limits: Insufficient VPC permissions. ENI creation failure. ENI limit reached. Subnet IP address limit.

✓Solutions

1Step 1: Diagnose - Check Lambda VPC configuration: aws lambda get-function-configuration --function-name FUNCTION_NAME --query 'VpcConfig' --output json. Verify VPC, subnets, and security groups are configured.
2Step 2: Diagnose - Check Lambda execution role permissions: aws iam get-role-policy --role-name ROLE_NAME --policy-name POLICY_NAME. Verify role has ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DeleteNetworkInterface permissions.
3Step 3: Diagnose - Check security group rules: aws ec2 describe-security-groups --group-ids sg-XXXXX --query 'SecurityGroups[0].IpPermissions' --output json. Verify rules allow necessary traffic.
4Step 4: Fix - Attach VPC execution role policy: aws iam attach-role-policy --role-name ROLE_NAME --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole. Or create custom policy with EC2 permissions.
5Step 5: Fix - Configure security groups and NACLs: Update security group rules to allow Lambda traffic. Review network ACL rules. Verify route tables allow necessary traffic. Check ENI limits: aws service-quotas get-service-quota --service-code ec2 --quota-code L-0263D0A3.

</>Code Examples

Check Lambda VPC Configuration and Execution Role

1#!/bin/bash
2FUNCTION_NAME="my-function"
3
4echo "=== Lambda VPC Configuration ==="
5aws lambda get-function-configuration \
6  --function-name ${FUNCTION_NAME} \
7  --query 'VpcConfig' \
8  --output json
9
10# Get execution role
11EXECUTION_ROLE=$(aws lambda get-function-configuration \
12  --function-name ${FUNCTION_NAME} \
13  --query 'Role' \
14  --output text | cut -d'/' -f2)
15
16echo "\n=== Lambda Execution Role ==="
17echo "Role: ${EXECUTION_ROLE}"
18
19# Check if role has VPC permissions
20echo "\n=== Checking VPC Permissions ==="
21aws iam list-attached-role-policies \
22  --role-name ${EXECUTION_ROLE} \
23  --query 'AttachedPolicies[?PolicyArn==`arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole`]' \
24  --output table
25
26if [ $? -eq 0 ]; then
27  echo "✓ VPC execution role policy attached"
28else
29  echo "✗ VPC execution role policy NOT attached"
30  echo "Attach: aws iam attach-role-policy --role-name ${EXECUTION_ROLE} --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
31fi

Attach VPC Execution Role Policy to Lambda

1#!/bin/bash
2FUNCTION_NAME="my-function"
3
4# Get execution role
5EXECUTION_ROLE=$(aws lambda get-function-configuration \
6  --function-name ${FUNCTION_NAME} \
7  --query 'Role' \
8  --output text | cut -d'/' -f2)
9
10echo "=== Attaching VPC Execution Role Policy ==="
11echo "Role: ${EXECUTION_ROLE}"
12
13# Attach AWS managed policy
14aws iam attach-role-policy \
15  --role-name ${EXECUTION_ROLE} \
16  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
17
18if [ $? -eq 0 ]; then
19  echo "✓ VPC execution role policy attached"
20  
21  echo "\n=== Required Permissions ==="
22  echo "ec2:CreateNetworkInterface"
23  echo "ec2:DescribeNetworkInterfaces"
24  echo "ec2:DeleteNetworkInterface"
25  echo "ec2:AssignPrivateIpAddresses"
26  echo "ec2:UnassignPrivateIpAddresses"
27  
28  echo "\n=== Verify Policy ==="
29  aws iam list-attached-role-policies \
30    --role-name ${EXECUTION_ROLE} \
31    --output table
32else
33  echo "✗ Failed to attach policy"
34  echo "Check IAM permissions"
35fi

Check Security Groups and Network ACLs

1#!/bin/bash
2FUNCTION_NAME="my-function"
3
4echo "=== Lambda VPC Configuration ==="
5VPC_CONFIG=$(aws lambda get-function-configuration \
6  --function-name ${FUNCTION_NAME} \
7  --query 'VpcConfig' \
8  --output json)
9
10SECURITY_GROUPS=$(echo ${VPC_CONFIG} | jq -r '.SecurityGroupIds[]' 2>/dev/null)
11SUBNETS=$(echo ${VPC_CONFIG} | jq -r '.SubnetIds[]' 2>/dev/null)
12
13echo "Security Groups: ${SECURITY_GROUPS}"
14echo "Subnets: ${SUBNETS}"
15
16# Check security group rules
17echo "\n=== Security Group Rules ==="
18for SG in ${SECURITY_GROUPS}; do
19  echo "\nSecurity Group: ${SG}"
20  aws ec2 describe-security-groups \
21    --group-ids ${SG} \
22    --query 'SecurityGroups[0].[GroupName,IpPermissions]' \
23    --output json | jq '.'
24done
25
26# Check network ACLs
27echo "\n=== Network ACLs ==="
28for SUBNET in ${SUBNETS}; do
29  echo "\nSubnet: ${SUBNET}"
30  NETWORK_ACL=$(aws ec2 describe-network-acls \
31    --filters "Name=association.subnet-id,Values=${SUBNET}" \
32    --query 'NetworkAcls[0].NetworkAclId' \
33    --output text)
34  
35  if [ ! -z "${NETWORK_ACL}" ]; then
36    echo "Network ACL: ${NETWORK_ACL}"
37    aws ec2 describe-network-acls \
38      --network-acl-ids ${NETWORK_ACL} \
39      --query 'NetworkAcls[0].Entries' \
40      --output table | head -10
41  fi
42done

↗Related Errors

AccessDenied InvalidParameterValue

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.