{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "lambda:*",
                "s3:Get*",
                "ecr:Get*",
                "ecr:BatchGet*",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs"
            ],
            "Resource": "*"
        },
        {
            "Action": "iam:PassRole",
            "Condition": {
              "StringEquals": {
                "iam:PassedToService": "lambda.amazonaws.com"
              }
            },
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}