VPC Access for AWS Lambda Functions

01 Sign in to AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access its configuration page.

05 Select the Configuration tab to access the panel with the configuration details available for the selected function.

06 In the Network section, check the VPC identifier selected from the Virtual Private Cloud (VPC) dropdown list. If there is no VPC currently selected, instead the No VPC option is set for the Virtual Private Cloud (VPC), the selected Amazon Lambda function is not associated with any Virtual Private Clouds, hence the function cannot access VPC-specific AWS resources.

07 Repeat steps no. 4 – 6 to determine if other AWS Lambda functions, created in the current region, are associated with VPC networks.

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

01 Run list-functions command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available in the selected region:

aws lambda list-functions
	--region us-east-1
	--output table
	--query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function names:

-------------------------
|     ListFunctions     |
+-----------------------+
|  cc-export-user-data  |
|  cc-process-queues    |
+-----------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the function that you want to examine as identifier and custom query filters to get the ID of the Virtual Private Cloud (VPC) associated with the selected AWS Lambda function:

aws lambda get-function
	--region us-east-1
	--function-name cc-export-user-data
	--query 'Configuration.VpcConfig.VpcId'  

04 The command output should return the VPC ID requested – if the function is configured to access a VPC, null – if the function has not yet been associated with a VPC, or an "" (empty string) – if the function has been associated at one point with a VPC:

null

05 Repeat step no. 3 and 4 to determine if other AWS Lambda functions, available in the selected region, are associated with VPC networks.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

01 Sign in to AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Select the AWS Lambda function that you want to reconfigure.

05 Click the Actions dropdown button from the dashboard top menu and select View details option.

06 Select the Configuration tab to access the panel with the configuration details available for the selected function.

07 Inside the Network section, perform the following actions:

1. Select the ID of the VPC network that you want to associated with the selected function from the Virtual Private Cloud (VPC) dropdown list.
2. From the Subnets dropdown list, choose the VPC subnets that Amazon Lambda will use to set up your VPC configuration. Select at least two subnets so that AWS Lambda can execute your function in high availability mode.
3. From the Security groups dropdown list, select the VPC security group(s) that Amazon Lambda service will use to set up your VPC network configuration. When you associate your Lambda function with a VPC, the function loses default internet access. If you require external internet access for your AWS Lambda function, ensure that the selected security group(s) allow(s) outbound connections and make sure that your VPC has a NAT gateway attached.

08 Once the function’s network configuration is set, click the Save button from the dashboard top menu to update the Amazon Lambda function configuration and associate it with the specified VPC.

09 Repeat steps no. 4 – 8 to update the network configuration for other Lambda functions created in the current AWS region.

10 Change the AWS region from the navigation bar and repeat the process for the other regions.

01 Run update-function-configuration command (OSX/Linux/UNIX) to update the network configuration for the specified Amazon Lambda function in order to associate it with a Virtual Private Cloud (VPC) and set network connectivity to AWS resources within that VPC. Note that when you connect a Lambda function to a VPC network, the access to the Internet can be made only through that VPC:

aws lambda update-function-configuration
	--region us-east-1
	--function-name cc-export-user-data
	--vpc-config SubnetIds="subnet-abcdabcd","subnet-12341234",SecurityGroupIds="sg-0abcd1234abcd1234"

02 The command output should return the metadata (including VPC network configuration metadata) for the modified Amazon Lambda function:

{
    "FunctionName": "cc-export-user-data",
    "LastModified": "2019-03-12T13:29:33.867+0000",
    "MemorySize": 128,
    "Version": "$LATEST",
    "Role": "arn:aws:iam::123456789012:role/service-role/cc-function-role",
    "Timeout": 5,
    "Runtime": "nodejs8.10",
    "TracingConfig": {
        "Mode": "PassThrough"
    },
 
    ...
 
    "Description": "",
    "VpcConfig": {
        "SubnetIds": [
            "subnet-abcdabcd",
            "subnet-12341234"
        ],
        "VpcId": "vpc-aabbccdd",
        "SecurityGroupIds": [
            "sg-0abcd1234abcd1234"
        ]
    },
    "Handler": "index.handler"
}

03 Repeat step no. 1 and 2 to update the network configuration for other Lambda functions available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation/resolution process for other regions.