Ensure that your Amazon Lambda functions have access to VPC-only resources.
Ensure your Amazon Lambda functions can securely access vital VPC resources like Redshift, ElastiCache, RDS databases, and VPC-restricted service endpoints.
Risk Level: Low
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.NET.1004
Covered by Spectral: No
Category: Compute
GSL LOGIC
Lambda should not have vpc isEmpty()
REMEDIATION
From Portal
- Access your AWS Lambda console.
- In the navigation panel, select 'Functions' and choose the specific function you wish to inspect.
- Navigate to the 'Configuration' section.
- Look for the VPC configuration, including IP, subnets, and security groups. If this information is not present, it indicates that your Lambda function is not associated with VPC resources.
From TF
Enabling AWS Lambda VPC Connectivity with Terraform
resource 'aws_lambda_function 'example_lambda'
{
vpc_config {
subnet_ids = ['YOUR_SUBNET', 'YOUR_SUBNET']
security_group_ids = ['YOUR_SECURITY_GROUP']
}
}
From Command Line
Run the command below to obtain a list of your functions:
aws lambda list-functions --region 'YOUR_REGION' --output table --query 'Functions[*].FunctionName'
Run the command below to determine the VPC ID associated with your Lambda function:
aws lambda get-function --region 'YOUR_REGION' --function-name 'YOUR_FUNCTION_NAME' --query 'Configuration.VpcConfig.VpcId'
If the command returns a valid VPC ID, it signifies a successful connection between your Lambda function and a Virtual Private Cloud (VPC) network. However, if the command returns 'null,' it indicates that the selected Amazon Lambda function is not integrated with a VPC, thereby lacking access to your VPC-specific resources.
References
- https://docs.aws.amazon.com/cli/latest/reference/lambda/list-functions.html
- https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
AWS Lambda
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.
With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.
Compliance Frameworks
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago