Description:

Dead Letter Queue(DLQ) is a mechanism that helps prevent message loss in the case of failure during the Lambda Function invocation so any kind of exception or anything that gets thrown is relevant to the DLQ. It works only on asynchronous Lambda when the data or messages are not consumed or responded to by the resources. then these messages go into the DLQ. In Lambda, DLQ's stores the message that resulted in failed asynchronous executions of your Lambda function.

Rationale:

If a single SQS message can’t be processed, the message becomes visible again on the queue for other workers. This is called a retry. But if for some reason every retry fails (maybe you have a bug in your code), the message will reside in the queue forever and may waste a lot of resources because of many retries. To avoid this, you can configure a dead-letter queue(DLQ). If a message is retried more than a specific number of times, it’s removed from the original queue and forwarded to the DLQ. The difference is that no worker listens for messages on the DLQ. But you should create a CloudWatch alarm that triggers if the DLQ contains more than zero messages because you need to investigate this problem manually by looking at the message in the DLQ.

Impact:

In the case of failure, it can be configured to hold a message for reprocessing after you fix the problem in your functions or perhaps broadcast the failure to another system to take some kind of action on it.

It handles unexpected failure when you use any services or resources

Default Value:

By default value, Dead-letter queue service is None in the lambda function

Audit:

Step 1: Sign in AWS Management Console and go to AWS Lambda dashboard             https://console.aws.amazon.com/lambda/

Step 2: Click on functions in the left navigation 

Step 3: Click on Lambda Function which you want to audit

Step 4: Below the Function, Overview click on the Configuration tab

Step 5: Scroll down and click on Asynchronous invocation in the left column

Step 6: In Asynchronous invocation, we see in the Dead-letter queue service column what it select if it None it means it is disabled.

Via CLI Audit

To view a list of asynchronous invocation configurations

1aws lambda list-function-event-invoke-configs --function-name <name_of_function>

To get the details of asynchronous invocation configuration

1aws lambda get-function-event-invoke-config --function-name <function_name>

Remediation:

Pre-Requisite:

  • Before following the implementation steps if you do not have a queue or topic, create one.

    • Amazon SQS queue 

    • Amazon SNS topic

  • If in your AWS account you do not use the lambda function then create the lambda function before the implementation steps.

  • Before implementation, you set the policy to give the permission to send messages into your Lambda function.

Implementation Steps:

Step 1: Sign in AWS Management Console and go to AWS Lambda dashboard https://console.aws.amazon.com/lambda/

Step 2: Click on functions in the left navigation

Step 3: Click on Lambda Function in which you want to enable the Lambda DLQ 

Step 4: Below the Function, Overview click on the Configuration tab

Step 5: Scroll down and click on Asynchronous invocation in the left column

Step 6: Click on the Edit button in the Asynchronous invocation

Step 7: In the Dead letter queue click on the menu list

Step 8: from the menu, list Choose those target( SNS or SQS ) type which topics or queue you use in AWS  

Step 9: After selecting the target (AWS SNS or SQS) select the queue 

Step 10: Click on Save button

after this save the setting you can see dead-letter queue service is Amazon SQS and queue which you have selected

Via CLI

To update an asynchronous invocation configuration

1aws lambda update-function-event-invoke-config \ 2    --function-name <function_name> \ 3    --destination-config '{"OnFailure":{"Destination": "arn:aws:sqs:<region>:<account_id>:destination"}}' 

Backout Plan:

If you do not want to enable the Lambda Dead-Letter Queue service to follow the same implementation step 1- 8 and select the None option from the menu list and click on the Save button

Via CLI

To update an asynchronous invocation configuration

1aws lambda update-function-event-invoke-config \ 2    --function-name <function_name> \ 3    --destination-config '{"OnFailure":{"Destination": "arn:aws:sqs:<region>:<account_id>:destination"}}' 

Reference:

  1. https://aws.amazon.com/blogs/compute/designing-durable-serverless-apps-with-dlqs-for-amazon-sns-amazon-sqs-aws-lambda/

  2. Asynchronous invocation - AWS Lambda 

  3. lambda — AWS CLI 2.2.20 Command Reference