VPC Access for AWS Lambda Functions

Risk Level: Medium (should be achieved)

Rule ID: Lambda-007

Ensure that your Amazon Lambda functions have access to VPC-based resources such as Amazon Redshift data warehouses, Amazon ElastiCache clusters, RDS database instances, and service endpoints that are only accessible from within a particular Virtual Private Cloud (VPC).

This rule can help you with the following compliance standards:

PCI
APRA
MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Based on your application requirements, you can associate your Amazon Lambda functions with the appropriate Virtual Private Cloud (VPC). For example, to access the cloud resources provisioned inside a private VPC, you must provide additional VPC-specific configuration information that includes the VPC subnet IDs and security group IDs. Amazon Lambda uses this configuration information to set up Elastic Network Interfaces (ENIs) that enable your functions to connect securely to other cloud resources available within your private VPC.

Audit

To determine if your Amazon Lambda functions are associated with Virtual Private Clouds (VPCs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to examine.

05 Select the Configuration tab and choose VPC from the left menu.

06 In the VPC section, check the configuration settings of the Virtual Private Cloud (VPC) network associated with the selected function. If there are no VPC configuration settings available in the VPC section, the selected Amazon Lambda function is not connected to a Virtual Private Cloud (VPC) network, therefore the function can't access your VPC resources.

07 Repeat steps no. 4 – 6 for each Lambda function available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
	--region us-east-1
	--output table
	--query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

----------------------------
|      ListFunctions       |
+--------------------------+
|  cc-app-worker-function  |
|  cc-s3-logging-function  |
+--------------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter and custom query filters to describe the ID of the Virtual Private Cloud (VPC) associated with the selected function:

aws lambda get-function
  --region us-east-1
  --function-name cc-app-worker-function
  --query 'Configuration.VpcConfig.VpcId'

04 The command output should return the VPC ID requested – if the function is configured to access a VPC network, null – if the function has not yet been associated with a VPC, or an empty string (i.e. "") – if the function was associated at one point with a VPC network:

null

If the get-function command output returns null or an empty string (i.e. ""), the selected Amazon Lambda function is not connected to a Virtual Private Cloud (VPC) network, therefore the function can't access your VPC-specific resources.

05 Repeat step no. 3 and 4 for each Lambda function available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To associate an existing Amazon Lambda function with a Virtual Private Cloud (VPC), you have to update your function's network configuration. In order to do that, you simply select one of your VPCs and identify the relevant subnets and security groups. Amazon Lambda makes use of this information to set up the Elastic Network Interfaces (ENIs) and private IP addresses (taken from the subnet(s) that you specified) so that your function has access to the cloud resources within the selected VPC. To update the network configuration for your Amazon Lambda functions, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion":"2010-09-09",
  "Description": "Enable and Configure VPC Access for Lambda Function",
  "Resources":{
    "FunctionExecutionRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
          "RoleName": "LambdaExecutionRole",
          "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {
                "Service": [ "lambda.amazonaws.com" ]
              },
              "Action": [ "sts:AssumeRole" ]
            }]
          },
          "Path": "/",
          "Policies": [{
            "PolicyName": "AWSLambdaBasicExecutionRole",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [{
                "Effect": "Allow",
                "Action": [
                  "logs:CreateLogGroup",
                  "logs:CreateLogStream",
                  "logs:PutLogEvents",
                  "ec2:DescribeNetworkInterfaces",
                  "ec2:CreateNetworkInterface",
                  "ec2:DeleteNetworkInterface",
                  "ec2:DescribeInstances",
                  "ec2:AttachNetworkInterface"
                ],
                "Resource": "*"
              }]
            }
          }]
       }
    },
    "ConsumerFunction": {
        "Type": "AWS::Lambda::Function",
        "Properties": {
            "FunctionName": "cc-app-worker-function",
            "Handler": "lambda_function.lambda_handler",
            "Role": {
                "Fn::GetAtt": [
                    "FunctionExecutionRole",
                    "Arn"
                ]
            },
            "Code": {
                "S3Bucket": "cc-lambda-functions",
                "S3Key": "worker.zip"
            },
            "Runtime": "python3.9",
            "MemorySize" : 1024,
            "Timeout": 45,
            "VpcConfig": {
                "SecurityGroupIds": [
                    "sg-0abcd1234abcd1234"
                ],
                "SubnetIds": [
                    "subnet-abcd1234",
                    "subnet-1234abcd"
                ]
            }
        }
     }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable and Configure VPC Access for Lambda Function
Resources:
  FunctionExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: LambdaExecutionRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: AWSLambdaBasicExecutionRole
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                  - ec2:DescribeNetworkInterfaces
                  - ec2:CreateNetworkInterface
                  - ec2:DeleteNetworkInterface
                  - ec2:DescribeInstances
                  - ec2:AttachNetworkInterface
                Resource: '*'
  ConsumerFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: cc-app-worker-function
      Handler: lambda_function.lambda_handler
      Role: !GetAtt 'FunctionExecutionRole.Arn'
      Code:
        S3Bucket: cc-lambda-functions
        S3Key: worker.zip
      Runtime: python3.9
      MemorySize: 1024
      Timeout: 45
      VpcConfig:
        SecurityGroupIds:
          - sg-0abcd1234abcd1234
        SubnetIds:
          - subnet-abcd1234
          - subnet-1234abcd

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_iam_role" "function-execution-role" {
  name = "LambdaExecutionRole"
  path = "/"
  managed_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", "arn:aws:iam::aws:policy/AmazonEC2FullAccess" ]

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}
EOF
}

resource "aws_lambda_function" "lambda-function" {
  function_name    = "cc-app-worker-function"
  s3_bucket        = "cc-lambda-functions"
  s3_key           = "worker.zip"
  role             = aws_iam_role.function-execution-role.arn
  handler          = "lambda_function.lambda_handler"
  runtime          = "python3.9"
  memory_size      = 1024
  timeout          = 45

  # Enable and Configure VPC Access for Lambda Function
  vpc_config {
    subnet_ids         = [ "subnet-abcd1234", "subnet-1234abcd" ]
    security_group_ids = [ "sg-0abcd1234abcd1234" ]
  }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name of the function that you want to reconfigure.

05 Select the Configuration tab and choose VPC from the left menu.

06 In the VPC section, choose Edit to change the network configuration for the selected function.

07 On the Edit VPC configuration page, perform the following actions:

Select the ID of the VPC network that you want to associate with the selected function from the VPC dropdown list.
Choose the VPC subnets that Amazon Lambda will use to set up your VPC configuration from the Subnets dropdown list. Select at least two VPC subnets so that Amazon Lambda can execute your function in high-availability mode.
Select the security group(s) that Amazon Lambda service will use to set up your VPC network configuration from the Security groups dropdown list. When you connect a function to a VPC network in your AWS account, it does not have access to the Internet unless your VPC provides Internet access. To give your function access to the Internet, route outbound traffic to a NAT Gateway in a public subnet.
Choose Save to apply the network configuration changes and connect the selected Amazon Lambda function to your VPC network.

08 Repeat steps no. 4 – 7 to update the network configuration for each Amazon Lambda function available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

01 Run update-function-configuration command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to reconfigure as the identifier parameter, to update the function's network configuration in order to connect the function to a Virtual Private Cloud (VPC) network. when you connect a Lambda function to a VPC network, the function's access to the Internet can be made only through that VPC network:

aws lambda update-function-configuration
  --region us-east-1
  --function-name cc-app-worker-function
  --vpc-config SubnetIds="subnet-abcd1234","subnet-1234abcd",SecurityGroupIds="sg-0abcd1234abcd1234"

02 The command output should return the metadata available for the reconfigured function:

{
    "FunctionName": "cc-app-worker-function",
    "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-app-worker-function",
    "Runtime": "python3.9",
    "Role": "arn:aws:iam::123456789012:role/service-role/cc-app-worker-function-role-abcdabcd",
    "Handler": "lambda_function.lambda_handler",
    "CodeSize": 550,
    "Timeout": 45,
    "MemorySize": 1024,
    "LastModified": "2021-08-29T10:00:00.000+0000",
    "Version": "$LATEST",
    "VpcConfig": {
        "SubnetIds": [
            "subnet-abcd1234",
            "subnet-1234abcd"
        ],
        "SecurityGroupIds": [
            "sg-0abcd1234abcd1234"
        ],
        "VpcId": "vpc-abcdabcd"
    },
    "TracingConfig": {
        "Mode": "PassThrough"
    },
    "RevisionId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "Layers": [
        {
            "Arn": "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:12",
            "CodeSize": 4351068
        }
    ],
    "State": "Active",
    "LastUpdateStatus": "Successful",
    "PackageType": "Zip"
}

03 Repeat steps no. 1 and 2 to update the network configuration for each Amazon Lambda function available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

AWS Documentation
AWS Lambda FAQs
Configuring AWS Lambda Functions
Configuring a Lambda function to access resources in a VPC

AWS Command Line Interface (CLI) Documentation
lambda
list-functions
get-function
update-function-configuration

CloudFormation Documentation
AWS Lambda resource type reference

Terraform Documentation
AWS Provider

Publication date Mar 16, 2019

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

VPC Access for AWS Lambda Functions

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related Lambda rules