Profile Applicability:

  • Level 1

Description:

AWS Lambda is a fully managed serverless compute service that runs your code in response to events and automatically manages the compute resources. Deploying AWS Lambda functions inside a Virtual Private Cloud (VPC) enhances security by ensuring that Lambda functions can access resources within a private network, such as Amazon RDS databases, Amazon ElastiCache, or other private services, while keeping those resources isolated from the public internet.

When you deploy a Lambda function inside a VPC, it can securely access private resources that are not exposed to the public internet, providing an extra layer of security and compliance with regulatory requirements.

Rationale:

  • Security: Deploying Lambda functions inside a VPC ensures that sensitive services, such as databases and application backends, remain protected and inaccessible from the internet.

  • Access to Private Resources: By placing Lambda functions within a VPC, they can interact with resources such as databases, storage, and services that are not publicly accessible.

  • Compliance: Many security and compliance frameworks require that functions and services access sensitive data through secure, isolated networks. Deploying Lambda functions inside a VPC ensures compliance with standards like PCI-DSSHIPAASOC 2, etc.

  • Network Segmentation: VPCs allow you to segment and manage your network for better control over the flow of traffic and access to resources.

Impact:

Pros:

  • Improved Security: By isolating Lambda functions within a VPC, you reduce exposure to public networks and enhance the security of internal resources.

  • Private Connectivity: Lambda functions within a VPC can access private services and resources that are not accessible to the public internet.

  • Compliance: Helps in meeting compliance requirements for network isolation and private resource access.

  • Fine-Grained Access Control: VPCs enable the use of Security Groups and Network ACLs to control and restrict access to resources within the VPC.

Cons:

  • Increased Complexity: Deploying Lambda functions inside a VPC requires setting up VPC configurations (e.g., subnet, security groups), which adds complexity to the architecture.

  • Cold Start Latency: Lambda functions deployed inside a VPC may experience increased cold start latency due to VPC networking setup, particularly when a NAT Gateway or VPC peering is used for external communication.

  • VPC Limits: Lambda functions deployed inside VPCs need to be managed carefully to avoid exceeding VPC limits for IP addresses and other networking resources.

Default Value:

By default, AWS Lambda functions are deployed outside of a VPC. You need to explicitly configure your Lambda function to be deployed inside a VPC.

Pre-requisite:

  • AWS IAM Permissions:

    • lambda:UpdateFunctionConfiguration

    • lambda:GetFunctionConfiguration

    • ec2:DescribeSubnets

    • ec2:DescribeSecurityGroups

  • AWS CLI installed and configured.

  • VPC should be set up and properly configured (with private subnets, internet access, and security groups).

  • Lambda execution role should have permissions to access resources inside the VPC (e.g., access to private subnets and security groups).

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Lambda under Services.

  3. In the Lambda Dashboard, select the Lambda function you want to check.

  4. Under the Function Configuration, check the VPC section:

    • If the function is deployed inside a VPC, it will show the associated VPCsubnet, and security group.

    • If the function is not inside a VPC, it will show that the function is not associated with any VPC.

  5. To modify and deploy the Lambda function inside a VPC, click Edit, choose the VPC, and configure the appropriate subnets and security groups.

  6. Save the changes and ensure that the Lambda function is now deployed inside the VPC.

Using AWS CLI:

To check if Lambda functions are deployed inside a VPC, run:

aws lambda get-function-configuration --function-name <function-name> --query 'VpcConfig'

If the VpcConfig shows empty values or null, the Lambda function is not inside a VPC. To deploy the function inside a VPC, run:

aws lambda update-function-configuration --function-name <function-name> --vpc-config SubnetIds=<subnet-id>,SecurityGroupIds=<security-group-id>

To confirm the changes, run:

aws lambda get-function-configuration --function-name <function-name> --query 'VpcConfig'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to AWS Lambda.

  2. In the Lambda Dashboard, select the Lambda function you want to modify.

  3. Under Function Configuration, click Edit.

  4. In the VPC section:

    • Choose a VPC where you want the Lambda function to run.

    • Select at least one private subnet where the Lambda function can operate.

    • Choose appropriate Security Groups to control access to the Lambda function.

  5. Click Save to apply the changes.

  6. Verify that the Lambda function is now configured to run within the VPC.

Using AWS CLI:

To deploy the Lambda function inside a VPC, run:

aws lambda update-function-configuration --function-name <function-name> --vpc-config SubnetIds=<subnet-id>,SecurityGroupIds=<security-group-id>

To verify that the Lambda function is deployed in the correct VPC, run:

aws lambda get-function-configuration --function-name <function-name> --query 'VpcConfig'

Backout Plan:

Console Process

  1. Go to the AWS Lambda Console:

    • Open the AWS Lambda console and select your function.

  2. Configure VPC Settings:

    • Under the Network section, choose a VPC.

    • Select the appropriate subnets and security groups for your function.

  3. Save Changes:

    • Save the configuration to attach the Lambda function to the VPC.

CLI Process

Update Lambda Function Configuration:

aws lambda update-function-configuration \
--function-name <function-name> \
--vpc-config SubnetIds=<subnet-ids>,SecurityGroupIds=<security-group-ids>

Verify Configuration:

aws lambda get-function-configuration --function-name <function-name>


  • Check the VpcConfig field in the output.

Note :

  • Subnets: Ensure that the Lambda function is placed in private subnets to avoid unnecessary exposure to the public internet.

  • Security Groups: Use Security Groups to control access between Lambda functions and other VPC resources, and restrict unnecessary inbound and outbound traffic.

  • VPC Limits: Ensure that your VPC has enough available IP addresses to accommodate Lambda's network interfaces, especially if you're scaling your functions.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.