Giving access to AWS Lambda service with limited policy

you have a security constraint, as you would need the "iam:CreateRole" in your policy, along with something like "iam:attachRolePolicy" and "iam:createPolicy". So with that you would basically be admin of your account, as you could create roles with any policy and attach it to an EC2 instance or assume it directly.

What you could do is having your admin create one or several roles for lambda, e.g one for S3 access, one for ec2 commands etc. When you want then to create a lambda function, choose one of these pre-created roles instead of creating a new one.

As some time has passed since this question was answered and AWS changed a lot, I want to mention a new feature which was launched by AWS in 2018: Permissions Boundaries for IAM Entities [1].

They are used "to delegate permissions management to trusted employees" [2] and other IAM entities (such as roles).
That is, you do not need to grant a specific role admin-like permissions in order to create other roles as the accepted answer states. You may grant the role iam:CreateRole permission with a condition that requires a permission boundary being set on each newly created role: {"StringEquals": {"iam:PermissionsBoundary": "arn:aws:iam::111122223333:policy/XCompanyBoundaries"}}.

The policy which is specified by the permission boundary defines the maximum permission which are effectively assigned to the role. [1]

In order to create a role with a permmission boundary you can e.g. use the optional parameter --permissions-boundary for the cli command aws iam create-role. [3]

References

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
[2] https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/
[3] https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html