Remediation TASK fail for missing Autorization

[picoroma]

I had some problem during the remediation phase 👍

Resource handler returned message: "User: arn:aws:sts::8422xxxxxx:assumed-role/EBS-ENCRYPTION-STACK1-EncryptionRemediationRol-F56KAP7MJXHG/Automation-025ab52d-d1b8-4c65-8abf-f570c20e6791 is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:eu-west-1:842270965037:function:DetachVolumeLambda-76145994-2407-4011-aa59-258d20090330 because no identity-based policy allows the lambda:GetFunction action (Service: Lambda, Status Code: 403, Request ID: 4f73ad97-916d-4f36-ae73-b1e62bd510b8)" (RequestToken: ca1bd206-929d-1b07-672f-a44995ae4f6e, HandlerErrorCode: AccessDenied)

Seems that the LAMBDA function autorization assigned into the ROLE (STACK1) is not correct.
WORKAROUND
I solved Editing te role and assign the action:
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction"

Maybe there is some issue with the role created with TASK1 CF template.

After changed the ROLE, I can finish all the remediation TASK... And the Overall status of the remediation task is OK.. But the latest 3 step of the remediation remain in "Pending state".
Is this correct\normal ?

[cicciocaviglia]

This is failing because an error in the template.. as you can see in your case the permission resource for the role should be:
arn:aws:lambda:eu-west-1:842270965037:function:DetachVolumeLambda
but in the template is:
Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function/DetachVolumeLambda*'
that "/" is your issue and it should be fixed in the provided template by replacing it with:
Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:DetachVolumeLambda*'