Ensure that your Amazon Lambda functions have access to VPC-based resources such as Amazon Redshift data warehouses, Amazon ElastiCache clusters, RDS database instances, and service endpoints that are only accessible from within a particular Virtual Private Cloud (VPC).
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Based on your application requirements, you can associate your Amazon Lambda functions with the appropriate Virtual Private Cloud (VPC). For example, to access the cloud resources provisioned inside a private VPC, you must provide additional VPC-specific configuration information that includes the VPC subnet IDs and security group IDs. Amazon Lambda uses this configuration information to set up Elastic Network Interfaces (ENIs) that enable your functions to connect securely to other cloud resources available within your private VPC.
Audit
To determine if your Amazon Lambda functions are associated with Virtual Private Clouds (VPCs), perform the following operations:
Remediation / Resolution
To associate an existing Amazon Lambda function with a Virtual Private Cloud (VPC), you have to update your function's network configuration. In order to do that, you simply select one of your VPCs and identify the relevant subnets and security groups. Amazon Lambda makes use of this information to set up the Elastic Network Interfaces (ENIs) and private IP addresses (taken from the subnet(s) that you specified) so that your function has access to the cloud resources within the selected VPC. To update the network configuration for your Amazon Lambda functions, perform the following operations:
References
- AWS Documentation
- AWS Lambda FAQs
- Configuring AWS Lambda Functions
- Configuring a Lambda function to access resources in a VPC
- AWS Command Line Interface (CLI) Documentation
- lambda
- list-functions
- get-function
- update-function-configuration
- CloudFormation Documentation
- AWS Lambda resource type reference
- Terraform Documentation
- AWS Provider