|
VPC Access for AWS Lambda Functions
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your Amazon Lambda functions have access to VPC-only resources such as AWS Redshift data warehouses, AWS ElastiCache clusters, AWS RDS database instances, and service endpoints that are only accessible from within a particular Virtual Private Cloud (VPC).
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Based on your application requirements, you can configure your Amazon Lambda function to be associated with the appropriate Virtual Private Cloud. For example, to access resources inside a private VPC, you must provide additional VPC-specific configuration information that includes the VPC subnet IDs and security group IDs. Amazon Lambda service uses this configuration information to set up Elastic Network Interfaces (ENIs) that enable your function to connect securely to other resources available within your private VPC.
To determine if your AWS Lambda functions are associated with VPCs, perform the following actions:
01 Sign in to AWS Management Console.
02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.
03 In the navigation panel, under AWS Lambda section, choose Functions.
04 Choose the Lambda function that you want to examine then click on the function name to access its configuration page.
05 Select the Configuration tab to access the panel with the configuration details available for the selected function.
06 In the Network section, check the VPC identifier selected from the Virtual Private Cloud (VPC) dropdown list. If there is no VPC currently selected, instead the No VPC option is set for the Virtual Private Cloud (VPC), the selected Amazon Lambda function is not associated with any Virtual Private Clouds, hence the function cannot access VPC-specific AWS resources.
07 Repeat steps no. 4 – 6 to determine if other AWS Lambda functions, created in the current region, are associated with VPC networks.
08 Change the AWS region from the navigation bar and repeat the process for the other regions.
01 Run list-functions command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available in the selected region:
aws lambda list-functions --region us-east-1 --output table --query 'Functions[*].FunctionName'
02 The command output should return a table with the requested function names:
------------------------- | ListFunctions | +-----------------------+ | cc-export-user-data | | cc-process-queues | +-----------------------+
03 Run get-function command (OSX/Linux/UNIX) using the name of the function that you want to examine as identifier and custom query filters to get the ID of the Virtual Private Cloud (VPC) associated with the selected AWS Lambda function:
aws lambda get-function --region us-east-1 --function-name cc-export-user-data --query 'Configuration.VpcConfig.VpcId'
04 The command output should return the VPC ID requested – if the function is configured to access a VPC, null – if the function has not yet been associated with a VPC, or an "" (empty string) – if the function has been associated at one point with a VPC:
null
05 Repeat step no. 3 and 4 to determine if other AWS Lambda functions, available in the selected region, are associated with VPC networks.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.
To associate your existing Amazon Lambda function with Virtual Private Cloud(s) you have to update your functions network configuration. In order to do that, you simply select one of your VPCs and identify the relevant subnets and security groups. The AWS Lambda service makes use of this information to set up Elastic Network Interfaces (ENIs) and private IP addresses (taken from the subnet(s) that you specified) so that your function has access to the AWS resources within the selected VPC. To update the network configuration for your Lambda functions, perform the following:
01 Sign in to AWS Management Console.
02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.
03 In the navigation panel, under AWS Lambda section, choose Functions.
04 Select the AWS Lambda function that you want to reconfigure.
05 Click the Actions dropdown button from the dashboard top menu and select View details option.
06 Select the Configuration tab to access the panel with the configuration details available for the selected function.
07 Inside the Network section, perform the following actions:
08 Once the function’s network configuration is set, click the Save button from the dashboard top menu to update the Amazon Lambda function configuration and associate it with the specified VPC.
09 Repeat steps no. 4 – 8 to update the network configuration for other Lambda functions created in the current AWS region.
10 Change the AWS region from the navigation bar and repeat the process for the other regions.
01 Run update-function-configuration command (OSX/Linux/UNIX) to update the network configuration for the specified Amazon Lambda function in order to associate it with a Virtual Private Cloud (VPC) and set network connectivity to AWS resources within that VPC. Note that when you connect a Lambda function to a VPC network, the access to the Internet can be made only through that VPC:
aws lambda update-function-configuration --region us-east-1 --function-name cc-export-user-data --vpc-config SubnetIds="subnet-abcdabcd","subnet-12341234",SecurityGroupIds="sg-0abcd1234abcd1234"
02 The command output should return the metadata (including VPC network configuration metadata) for the modified Amazon Lambda function:
{
"FunctionName": "cc-export-user-data",
"LastModified": "2019-03-12T13:29:33.867+0000",
"MemorySize": 128,
"Version": "$LATEST",
"Role": "arn:aws:iam::123456789012:role/service-role/cc-function-role",
"Timeout": 5,
"Runtime": "nodejs8.10",
"TracingConfig": {
"Mode": "PassThrough"
},
...
"Description": "",
"VpcConfig": {
"SubnetIds": [
"subnet-abcdabcd",
"subnet-12341234"
],
"VpcId": "vpc-aabbccdd",
"SecurityGroupIds": [
"sg-0abcd1234abcd1234"
]
},
"Handler": "index.handler"
}
03 Repeat step no. 1 and 2 to update the network configuration for other Lambda functions available in the selected AWS region.
04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation/resolution process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat