A network engineer is troubleshooting an issue where an AWS Lambda function cannot create an Elastic Network Interface (ENI) in a VPC. The function has the IAM policy shown in the exhibit. Which statement explains why the function is failing?
Exhibit
Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:CreateVpc",
"Resource": "*"
}
]
}
```Trap 1: The policy denies the ec2:CreateVpc action which is required to…
Creating an ENI does not require the ec2:CreateVpc action, as the VPC already exists.
Trap 2: The policy allows ec2:DescribeInstances which conflicts with ENI…
DescribeInstances is unrelated and does not cause conflicts.
Trap 3: The policy denies the ec2:CreateNetworkInterface action
The policy allows ec2:CreateNetworkInterface, so it is not denied.
- A
The policy denies the ec2:CreateVpc action which is required to create an ENI
Why wrong: Creating an ENI does not require the ec2:CreateVpc action, as the VPC already exists.
- B
The policy allows ec2:DescribeInstances which conflicts with ENI creation
Why wrong: DescribeInstances is unrelated and does not cause conflicts.
- C
The policy denies the ec2:CreateNetworkInterface action
Why wrong: The policy allows ec2:CreateNetworkInterface, so it is not denied.
- D
The policy is missing the ec2:CreateNetworkInterfacePermission action
Lambda requires ec2:CreateNetworkInterfacePermission to create ENIs on behalf of the function; without it, the call fails.