AWS Lambda had some major feature upgrades and starts the year right with more language support, custom runtime and layers for more concise code!

As we venture further into the world of automation and Infrastructure as Code (IaC), AWS Lambda embodies this powerful future and allows us to get a real feel of what it’s all set to be. The service offers more seamless work with higher security, reliability and efficiency and at Cloud Conformity, we couldn’t love this service more! This is our review of the service with a background to AWS Lambda, key updates and how Cloud Conformity use AWS Lambda and help you to follow best practice.

AWS Lambda Definition

AWS Lambda is a serverless compute service that automatically runs your code in response to events, while managing all of the background computing resources leaving you to pay for only the compute time consumed. Simply upload your code and the service takes care of everything needed to run and scale your code with high availability for virtually any application. You can set up your code to automatically trigger from other AWS services with custom logic or call it directly from any web or mobile app. With all of the high availability compute resource and admin and maintenance taken care of, all you need to worry about is the code.

AWS Lambda Updates

Lambda’s Multilingualism Continues

During AWS re:Invent 2018, AWS announced that Ruby is a supported language for Lambda. As a popular programming language code for AWS users, you can now write idiomatic Ruby code and run it on AWS further extending what AWS SDK for Ruby initially set out.

SQS as a new Event Source

It was announced last Summer that the fully managed Simple Queuing System (SQS) could finally be used to trigger Lambda functions. The two services interacting keeps in line with AWS aim to take away complexity and high costs when managing message oriented middleware. It’s such a game changer we’ve written a SQS and Lambda blog post dedicated to just this feature!

Lambda Layers

AWS re:Invent 2018 had some more announcements for AWS Lambda, including the introduction of Lambda Layers. The use of layers means you’re able to pull in additional code and content without the need to include them in the deployment package. As the same Lambda function is often widely used across various stacks across an organization, this new feature allows your code to be more concise and focused, makes for speedier deployment and enforces separation of concern between dependencies and business logic.

Lambda Runtime API

At the same time, AWS also announced Lambda Runtime API allowing you to use custom runtimes for your Lambda functions. This new function also gives users the ability to introduce an interpreter for your preferred programming language, and with Ruby, Node.js, Python, Java, Go, .NET already available this is the future of new languages supported in AWS Lambda.

AWS Lambda Best Practice

AWS splits best practice in six different areas when it comes to Lambda, which we will run through here.

  1. Function Code

The primary takeaway here is to keep your code concise. Keep a close eye on the number of dependencies and their complexity, minimise the runtime deployment package and how long it takes to unpack it, and keep connections live for reuse.

  1. Function Configuration

Testing is key. It’s a pretty obvious statement but one that needs to be reminded of to ensure that you have the best memory size and timeout value. It’s also important from a security and reliability standpoint that when using IAM, you implement the most-restrictive permissions, delete any unused Lambda functions and be aware of AWS Lambda Limits.

  1. Alarming and Metrics

The use of AWS CloudWatch means you’re able to effortlessly stay up to date with the health of your AWS Lambda functions. With Lambda Metrics and Dimensions, any app errors are caught.

  1. Stream Event Invokes

It’s worth testing with different batch and record sizes to check how well the function is able to complete its task. A large batch size can often increase your throughput as it’s able to efficiently absorb the invoke overhead. Adding more shards to your Kinesis stream process is also another way to increase throughput.

  1. Async Invokes

By using and creating Dead Letter Queues (a way to analyze event failures using AWS SQS or AWS SNS), you can investigate any async function errors.

  1. Lambda VPC

It’s not necessary to always put a Lambda function in a VPC. By using other AWS services such as Amazon Relational Database or AWS ElasticSearch, you’re able to keep the function secure using IAM without the need to use a secure VPC. If using a VPC, check your ENI capacity and IP address space. The decision tree below can help you decide if a VPC is necessary or not.

At Cloud Conformity, we currently have six dedicated rules to AWS Lambda

Lambda 001: Runtime Environment Version

A great rule to check that your functions are running on the latest AWS Lambda execution environment version so that they benefit from following best practice, and the most recent bug fixes and software features for optimum performance and reliability.

Lambda 002: Unknown Cross Account Access

To ensure that your Lambda functions are only accessible by trusted AWS accounts, this rule checks for and highlights any foreign AWS accounts unless they have been explicitly specified in the rule settings.

Lambda 003: Tracing Enabled

This rule checks that AWS X-Ray, an AWS Lambda monitoring tool, is enabled against your functions, so you have visibility of the data around requests and performance. The clever service gives you insights so you can spot issues and identify areas for optimization.

Lambda 004: Exposed AWS Lambda Function

This rule checks the Lambda policy for any publicly accessible functions so you can update the related AWS Lambda access permissions on the CLI, to ensure that unauthorized users aren’t sending requests to invoke events.

Lambda 005: Lambda Functions with Admin Privileges

As per the AWS best practice of the Principle of Least Privilege (POLP), this rule finds if any AWS Lambda permissions created have been incorrectly given administration permissions so you can rectify it.

Lambda 006: Using an IAM Role For More Than One Lambda

In order to keep to the PoLP (principle of least privilege), it’s imperative that the Lambda IAM role is kept to a strict one-to-one relationship. The IAM role should not be shared between different Lambda functions as each should be accessed with the minimal amount of access to perform its task.

How Cloud Conformity Use AWS Lambda

At Cloud Conformity, we’re big fans of IaC and automation and so the use of AWS Lambda is inherently part of our business.

Our real-time monitoring add-on package includes Auto-remediation, which as the name suggests, automatically remediates a failed check. We do this by providing you with the code (bundled as a Serverless Framework package) to add directly to your AWS account, which includes a trigger to launch a Lambda function to remediate the issue. We love it!

Cloud Conformity provides continuous assurance that your AWS infrastructure is secure, compliant and optimized against the Well-Architected Framework. Our Knowledge Base of 470+ checks running on the platform ensure you’re following best practice and that your Lambda functions are performing efficiently and securely. Check out our free-14 day trial to see for yourself.