Ensure AWS Lambda function is configured inside a VPC

By default, Lambda functions are not launched within a virtual private cloud (VPC), so they can only connect to public resources accessible through the internet. You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your AWS account. Use Amazon Virtual Private Cloud (Amazon VPC) to create a private network for resources such as databases, cache instances, or internal services. Connect your function to the VPC to access private resources while the function is running.

Risk Level: Medium
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.NET.74
Covered by Spectral: No
Category: Compute

GSL LOGIC

Lambda should have vpc

REMEDIATION

From Portal

  1. Open the Functions page of the Lambda console.
  2. Choose a function.
  3. Choose Configuration and then choose VPC.
  4. Under VPC, choose Edit.
  5. Choose a VPC, subnets, and security groups.
    Note: To access private resources, connect your function to private subnets. If your function needs internet access, use network address translation (NAT). Connecting a function to a public subnet doesn't give it internet access or a public IP address.
  6. Choose Save.

From TF
Set vpc_config terraform property as shown:

resource "aws_lambda_function" "example" {
	...
	vpc_config {
		subnet_ids         = [SUBNET-IDS]
		security_group_ids = [SECURITY-GROUP-IDS]
	}
}

From Command Line
To add vpc configuration to an existing lambda, run:

aws lambda update-function-configuration --function-name FUNCTION-NAME --vpc-config SubnetIds=SUBNET-IDS,SecurityGroupIds=SECURITY-GROUP-IDS

References

  1. https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
  2. https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-configuration.html

AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.

With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Compliance Frameworks

  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset