Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Function in Private Subnet

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Lambda-013

Ensure that your Amazon Lambda functions are configured to connect to private VPC subnets only in order to have secure access to private VPC-based resources such as Amazon ElastiCache clusters and RDS database instances.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon Lambda functions are typically configured with private VPC subnets when they need to securely access private resources within the VPC or require controlled outbound internet access via a NAT gateway. This setup enhances security and control, ensuring Lambda functions can interact with internal resources while minimizing exposure to the Internet.


Audit

To determine if your Amazon Lambda functions are configured to use private VPC subnets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to examine.

05 Select the Configuration tab and choose VPC to access the VPC network settings available for the selected function.

06 In the VPC section, click on the name (link) of the VPC subnet that you want to examine, listed under Subnets.

07 Select the Route table tab to view the routes configured for the selected VPC subnet, listed in the Routes section.

08 Check the Destination and Target columns for each configured route. If the Destination is set to 0.0.0.0/0 and the Target is pointing to an Internet Gateway (e.g. igw-0abcd1234abcd1234), the selected subnet is public, therefore your Amazon Lambda function is not configured to use only private VPC subnets.

09 Repeat steps no. 4 – 8 for each Lambda function available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

----------------------------
|      ListFunctions       |
+--------------------------+
|  cc-app-worker-function  |
|  cc-s3-logging-function  |
+--------------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter and custom query filters to describe the IDs of the VPC subnets configured for the selected function:

aws lambda get-function 
  --region us-east-1 
  --function-name cc-app-worker-function 
  --query 'Configuration.VpcConfig.SubnetIds'

04 The command output should return the identifier (ID) of each VPC subnet associated with the selected function:

[
	"subnet-01234abcd1234abcd",
	"subnet-0abcd1234abcd1234"
]

05 Run describe-route-tables command (OSX/Linux/UNIX) using the ID of the VPC subnet that you want to examine as the identifier parameter and custom filters to describe the routes configured for the route table associated with the selected subnet:

aws ec2 describe-route-tables 
  --region us-east-1 
  --filters "Name=association.subnet-id,Values=subnet-01234abcd1234abcd" 
  --query 'RouteTables[*].Routes[]'

06 The command output should return the configuration information available for each defined route:

[
	{
		"DestinationCidrBlock": "0.0.0.0/0",
		"GatewayId": "igw-0abcd1234abcd1234",
		"Origin": "CreateRoute",
		"State": "active"
	},
	{
		"DestinationCidrBlock": "10.0.0.0/16",
		"GatewayId": "local",
		"Origin": "CreateRouteTable",
		"State": "active"
	}
]

Check the "DestinationCidrBlock", "GatewayId", and "State" attributes for each configured route. If the "DestinationCidrBlock" attribute is set to "0.0.0.0/0", "GatewayId" is pointing to an Internet Gateway (e.g. igw-0abcd1234abcd1234), and the "State" is set to "active", the selected subnet is public, therefore your Amazon Lambda function is not configured to use only private VPC subnets.

07 Repeat step no. 3 - 6 for each Lambda function available in the selected AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Audit process for other AWS regions.

Remediation / Resolution

To ensure that your Amazon Lambda functions are configured to connect to private VPC subnets only, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to configure.

05 Select the Configuration tab and choose VPC to access the VPC network settings available for the selected function.

06 In the VPC section, choose Edit to change the network configuration for the selected function.

07 On the Edit VPC configuration page, perform the following operations:

  1. Select the ID of the VPC network that contains your private subnets from the VPC dropdown list. If the VPC network is not selected at this point, ensure that you remove any public VPC subnets from the Subnets section.
  2. Choose the private VPC subnets that Amazon Lambda will use to accces private VPC-based resources, from the Subnets dropdown list. A private subnet Select at least two VPC subnets so that Amazon Lambda can execute your function in high-availability mode.
  3. Select the security group(s) that Amazon Lambda will use to control access, from the Security groups dropdown list.
  4. Choose Save to apply the network configuration changes and connect the selected Amazon Lambda function to your private VPC subnets only.

08 Repeat steps no. 4 – 7 to update the network configuration for each Amazon Lambda function available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

01 Run update-function-configuration command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to configure as the identifier parameter, to update the function's network configuration in order to connect the function to private VPC subnets only:

aws lambda update-function-configuration
  --region us-east-1
  --function-name cc-app-worker-function
  --vpc-config SubnetIds="subnet-0123abcd123abc123","subnet-0abc123abc123abcd",SecurityGroupIds="sg-0abcd1234abcd1234"

02 The command output should return the configuration infornmation available for the reconfigured function:

{
	"FunctionName": "cc-app-worker-function",
	"FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-app-worker-function",
	"Runtime": "python3.9",
	"Role": "arn:aws:iam::123456789012:role/service-role/cc-app-worker-function-role-abcdabcd",
	"Handler": "lambda_function.lambda_handler",
	"CodeSize": 1450,
	"Timeout": 45,
	"MemorySize": 1024,
	"LastModified": "2021-08-29T10:00:00.000+0000",
	"Version": "$LATEST",
	"VpcConfig": {
		"SubnetIds": [
			"subnet-0123abcd123abc123",
			"subnet-0abc123abc123abcd"
		],
		"SecurityGroupIds": [
			"sg-0abcd1234abcd1234"
		],
		"VpcId": "vpc-0abcd1234abcd1234"
	},
	"TracingConfig": {
		"Mode": "PassThrough"
	},
	"RevisionId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
	"Layers": [
		{
			"Arn": "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:12",
			"CodeSize": 4351068
		}
	],
	"State": "Active",
	"LastUpdateStatus": "Successful",
	"PackageType": "Zip"
}

03 Repeat steps no. 1 and 2 to update the network configuration for each Amazon Lambda function available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other AWS regions.

References

Publication date Oct 20, 2023