Description:
Dead Letter Queue(DLQ) is a mechanism that helps prevent message loss in the case of failure during the Lambda Function invocation so any kind of exception or anything that gets thrown is relevant to the DLQ. It works only on asynchronous Lambda when the data or messages are not consumed or responded to by the resources. then these messages go into the DLQ. In Lambda, DLQ's stores the message that resulted in failed asynchronous executions of your Lambda function.
Rationale:
If a single SQS message can’t be processed, the message becomes visible again on the queue for other workers. This is called a retry. But if for some reason every retry fails (maybe you have a bug in your code), the message will reside in the queue forever and may waste a lot of resources because of many retries. To avoid this, you can configure a dead-letter queue(DLQ). If a message is retried more than a specific number of times, it’s removed from the original queue and forwarded to the DLQ. The difference is that no worker listens for messages on the DLQ. But you should create a CloudWatch alarm that triggers if the DLQ contains more than zero messages because you need to investigate this problem manually by looking at the message in the DLQ.
Impact:
In the case of failure, it can be configured to hold a message for reprocessing after you fix the problem in your functions or perhaps broadcast the failure to another system to take some kind of action on it.
It handles unexpected failure when you use any services or resources
Default Value:
By default value, Dead-letter queue service is None in the lambda function
Audit:
Step 1: Sign in AWS Management Console and go to AWS Lambda dashboard https://console.aws.amazon.com/lambda/
Step 2: Click on functions in the left navigation
Step 3: Click on Lambda Function which you want to audit
Step 4: Below the Function, Overview click on the Configuration tab
Step 5: Scroll down and click on Asynchronous invocation in the left column
Step 6: In Asynchronous invocation, we see in the Dead-letter queue service column what it select if it None it means it is disabled.
Via CLI Audit
To view a list of asynchronous invocation configurations
1aws lambda list-function-event-invoke-configs --function-name <name_of_function>
To get the details of asynchronous invocation configuration
1aws lambda get-function-event-invoke-config --function-name <function_name>
Remediation:
Pre-Requisite:
Before following the implementation steps if you do not have a queue or topic, create one.
Amazon SQS queue
Amazon SNS topic
If in your AWS account you do not use the lambda function then create the lambda function before the implementation steps.
Before implementation, you set the policy to give the permission to send messages into your Lambda function.
Implementation Steps:
Step 1: Sign in AWS Management Console and go to AWS Lambda dashboard https://console.aws.amazon.com/lambda/
Step 2: Click on functions in the left navigation
Step 3: Click on Lambda Function in which you want to enable the Lambda DLQ
Step 4: Below the Function, Overview click on the Configuration tab
Step 5: Scroll down and click on Asynchronous invocation in the left column
Step 6: Click on the Edit button in the Asynchronous invocation
Step 7: In the Dead letter queue click on the menu list
Step 8: from the menu, list Choose those target( SNS or SQS ) type which topics or queue you use in AWS
Step 9: After selecting the target (AWS SNS or SQS) select the queue
Step 10: Click on Save button
after this save the setting you can see dead-letter queue service is Amazon SQS and queue which you have selected
Via CLI
To update an asynchronous invocation configuration
1aws lambda update-function-event-invoke-config \ 2 --function-name <function_name> \ 3 --destination-config '{"OnFailure":{"Destination": "arn:aws:sqs:<region>:<account_id>:destination"}}'
Backout Plan:
If you do not want to enable the Lambda Dead-Letter Queue service to follow the same implementation step 1- 8 and select the None option from the menu list and click on the Save button
Via CLI
To update an asynchronous invocation configuration
1aws lambda update-function-event-invoke-config \ 2 --function-name <function_name> \ 3 --destination-config '{"OnFailure":{"Destination": "arn:aws:sqs:<region>:<account_id>:destination"}}'
Reference: