Description:
AWS Lambda is a public service that runs within a region and so that it cannot connect by default to your private Virtual Private Cloud (VPC) but you can configure a function to private subnets in a VPC in your account and you would do that so that your function can access those private resources during executions.
Lambda inside a VPC it means you allow the functions to connect to the private subnet.
Rationale:
When the Lambda function connects with your VPC, it creates an elastic network interface in your VPC and then does a cross-account attachment. These network interfaces allow network access from your Lambda function to your private resources. These Lambda functions run inside the VPC and can only access resources over the network through your VPC.
Impact:
When you configure the Lambda function in a VPC it set up an Elastic Network Interface ( ENI ) using an available IP address from your private subnet, and it helps your function to connect securely to other resources available within your private VPC.
Default Value:
By default, when your Lambda function is not configured to connect to your own VPCs, the function can access anything available on the public internet such as other AWS services, HTTPS endpoints for APIs, or services and endpoints outside AWS.
By default, Lambda runs your functions in a secure VPC with access to AWS services and the internet. Lambda owns this VPC, which isn’t connected to your account’s default VPC. When you connect a function to a VPC in your account, the function can’t access the internet unless your VPC provides access.
Pre-Requisite:
For this configuration, you must connect to a private subnet with a NAT Gateway for Internet access (no public IP)
Cannot connect to a dedicated tenancy VPC.
You connect with VPC only need otherwise do not connect with VPC because Function Execution can be slow down.
Lambda uses your function’s permissions to create and manage network interfaces. To connect to a VPC, your function’s execution role must have the following permissions:
→ ec2: CreateNetworkInterface
→ ec2: DescribeNetworkInterfaces
→ ec2: DeleteNetworkInterfaces
Attach the AWSLambdaVPCAccessExecutionRole policy in your function role permission
Remediation:
Test Plan:
Step 1: Sign in to AWS Management Console and go to Lambda dashboard at https://console.aws.amazon.com/lambda/.
Step 2: Click on Functions in the left navigation pane and choose the function to audit
Step 3: In the function, you click on the Configuration tab below the Function
Step 4: Click on VPC to check Lambda function inside VPC
Here this function shows VPC is not configured and it is not connected to VPC
Using AWS CLI:
To retrieve a list of Lambda function
aws lambda list-functions
To retrieve information about a function
aws lambda get-function --function-name <give the function name>
if your function is not configure VPC then it gives below output
"VpcConfig": { "SubnetIds": [], "VpcId": "", "SecurityGroupIds": [] }
Implementation Steps:
Step 1: Sign in to AWS Management Console and go to Lambda dashboard at https://console.aws.amazon.com/lambda/.
Step 2: Click on Functions in the left navigation pane and choose the function to audit
Step 3: In the function, you click on the Configuration tab below the Function
Step 4: Click on VPC to configure it
Step 5: Click on the Edit button
Step 6: Choose a VPC for your function to access
Step 7: Choose VPC Subnets for Lambda to use to set up your VPC configuration.
select security groups
Step 8: Click on the Save button
Using AWS CLI
To connect an existing function to a VPC
aws lambda update-function-configuration \
--function-name my-function \
--vpc-config SubnetIds=subnet-071f712345678e7c8,\
subnet-07fd123456788a036,SecurityGroupIds=sg-085912345678492fb
Backout Plan:
Step 1: Sign in to AWS Management Console and go to Lambda dashboard at https://console.aws.amazon.com/lambda/.
Step 2: Click on Functions in the left navigation pane and choose the function to audit
Step 3: In the function, you click on the Configuration tab below the Function
Step 4: Click on VPC to configure it
Step 5: Click on the Edit button and select None and click on the Save button
Using AWS CLI
To disconnect your function from a VPC, update the function configuration with an empty list of subnets and security groups
aws lambda update-function-configuration \
--function-name my-function \
--vpc-config SubnetIds=[],SecurityGroupIds=[]