Open menu
-->

Enable VPC Access for AWS Lambda Functions

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon Lambda functions have access to VPC-only resources such as AWS Redshift data warehouses, AWS ElastiCache clusters, AWS RDS database instances, and service endpoints that are only accessible from within a particular Virtual Private Cloud (VPC).

Based on your application requirements, you can configure your Amazon Lambda function to be associated with the appropriate Virtual Private Cloud. For example, to access resources inside a private VPC, you must provide additional VPC-specific configuration information that includes the VPC subnet IDs and security group IDs. Amazon Lambda service uses this configuration information to set up Elastic Network Interfaces (ENIs) that enable your function to connect securely to other resources available within your private VPC.

Audit

To determine if your AWS Lambda functions are associated with VPCs, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access its configuration page.

05 Select the Configuration tab to access the panel with the configuration details available for the selected function.

06 In the Network section, check the VPC identifier selected from the Virtual Private Cloud (VPC) dropdown list. If there is no VPC currently selected, instead the No VPC option is set for the Virtual Private Cloud (VPC), the selected Amazon Lambda function is not associated with any Virtual Private Clouds, hence the function cannot access VPC-specific AWS resources.

07 Repeat steps no. 4 – 6 to determine if other AWS Lambda functions, created in the current region, are associated with VPC networks.

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available in the selected region:

aws lambda list-functions
	--region us-east-1
	--output table
	--query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function names:

-------------------------
|     ListFunctions     |
+-----------------------+
|  cc-export-user-data  |
|  cc-process-queues    |
+-----------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the function that you want to examine as identifier and custom query filters to get the ID of the Virtual Private Cloud (VPC) associated with the selected AWS Lambda function:

aws lambda get-function
	--region us-east-1
	--function-name cc-export-user-data
	--query 'Configuration.VpcConfig.VpcId'  

04 The command output should return the VPC ID requested – if the function is configured to access a VPC, null – if the function has not yet been associated with a VPC, or an "" (empty string) – if the function has been associated at one point with a VPC:

null

If get-function command output returns null or an empty string, i.e. "", the selected Amazon Lambda function is not currently associated with any VPC networks available within your AWS account, therefore the function cannot access VPC-specific resources.

05 Repeat step no. 3 and 4 to determine if other AWS Lambda functions, available in the selected region, are associated with VPC networks.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To associate your existing Amazon Lambda function with Virtual Private Cloud(s) you have to update your functions network configuration. In order to do that, you simply select one of your VPCs and identify the relevant subnets and security groups. The AWS Lambda service makes use of this information to set up Elastic Network Interfaces (ENIs) and private IP addresses (taken from the subnet(s) that you specified) so that your function has access to the AWS resources within the selected VPC. To update the network configuration for your Lambda functions, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Select the AWS Lambda function that you want to reconfigure.

05 Click the Actions dropdown button from the dashboard top menu and select View details option.

06 Select the Configuration tab to access the panel with the configuration details available for the selected function.

07 Inside the Network section, perform the following actions:

  1. Select the ID of the VPC network that you want to associated with the selected function from the Virtual Private Cloud (VPC) dropdown list.
  2. From the Subnets dropdown list, choose the VPC subnets that Amazon Lambda will use to set up your VPC configuration. Select at least two subnets so that AWS Lambda can execute your function in high availability mode.
  3. From the Security groups dropdown list, select the VPC security group(s) that Amazon Lambda service will use to set up your VPC network configuration. When you associate your Lambda function with a VPC, the function loses default internet access. If you require external internet access for your AWS Lambda function, ensure that the selected security group(s) allow(s) outbound connections and make sure that your VPC has a NAT gateway attached.

08 Once the function’s network configuration is set, click the Save button from the dashboard top menu to update the Amazon Lambda function configuration and associate it with the specified VPC.

09 Repeat steps no. 4 – 8 to update the network configuration for other Lambda functions created in the current AWS region.

10 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run update-function-configuration command (OSX/Linux/UNIX) to update the network configuration for the specified Amazon Lambda function in order to associate it with a Virtual Private Cloud (VPC) and set network connectivity to AWS resources within that VPC. Note that when you connect a Lambda function to a VPC network, the access to the Internet can be made only through that VPC:

aws lambda update-function-configuration
	--region us-east-1
	--function-name cc-export-user-data
	--vpc-config SubnetIds="subnet-abcdabcd","subnet-12341234",SecurityGroupIds="sg-0abcd1234abcd1234"

02 The command output should return the metadata (including VPC network configuration metadata) for the modified Amazon Lambda function:

{
    "FunctionName": "cc-export-user-data",
    "LastModified": "2019-03-12T13:29:33.867+0000",
    "MemorySize": 128,
    "Version": "$LATEST",
    "Role": "arn:aws:iam::123456789012:role/service-role/cc-function-role",
    "Timeout": 5,
    "Runtime": "nodejs8.10",
    "TracingConfig": {
        "Mode": "PassThrough"
    },
 
    ...
 
    "Description": "",
    "VpcConfig": {
        "SubnetIds": [
            "subnet-abcdabcd",
            "subnet-12341234"
        ],
        "VpcId": "vpc-aabbccdd",
        "SecurityGroupIds": [
            "sg-0abcd1234abcd1234"
        ]
    },
    "Handler": "index.handler"
}

03 Repeat step no. 1 and 2 to update the network configuration for other Lambda functions available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation/resolution process for other regions.

References

Publication date Mar 16, 2019