AWS Lambda
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS Lambda

      Lambda Without VPC (Virtual Private Cloud)

      This plugin ensures Lambda functions are created in a VPC.

      Risk Level: Medium

      Description:

      This plugin ensures Lambda functions are created in a VPC. Lambda functions should be created in an AWS VPC to avoid exposure to the Internet and to enable communication with VPC resources through NACLs and security groups.

      About the Service:

      AWS Lambda is a serverless compute service that allows you to run code without having to provision or manage servers, create workload-aware cluster scaling logic, keep event integrations up to date, or manage runtimes. You can use Lambda to run code for almost any form of application or backend service, and you don't have to worry about managing it. Simply upload your code as a ZIP file or container image, and Lambda will automatically and precisely assign compute execution power and run your code in response to incoming requests or events, at any scale.

      Impact:

      Make sure to give your AWS Lambda Functions access to Virtual Private Cloud otherwise your lambda function won’t be able to use resources like AWS Redshift data warehouses, RDS database instances, and service endpoints that are only accessible from within a particular VPC and decrease the functionality of your function.

      Steps to reproduce :

      1. Sign in to your AWS console.
      2. Navigate to the Lambda dashboard at:  https://console.aws.amazon.com/lambda/
      3. Select the Function you want to examine and visit its configuration page.
      4. Select the “ Configuration “ tab to view its setting panel.
      5. In the “Virtual Private Cloud”  section in the left navigation, check out the “ Virtual Private Cloud “ dropdown list and verify if your function has access to any VPC.

       

      Steps for remediation :

      Update the Lambda function with a VPC configuration.

      1. Sign in to your AWS console.
      2. Navigate to the Lambda dashboard at:  https://console.aws.amazon.com/lambda/
      3. Select the Function you want to examine and visit its configuration page.
      4. Select the “ Configuration “ tab to view its setting panel.
      5. In the  “Virtual Private Cloud” section, perform the following actions :
        1.   From the “ Virtual Private Cloud (VPC) “  dropdown list, select the ID of the VPC network you wish to associate with the specified function.
              
        2. Select the VPC subnets that Amazon Lambda will use to set up your VPC setup from the “ Subnets “   dropdown list. AWS Lambda requires at least two subnets to run your function in high availability mode.
        3. Select the VPC security group(s) that Amazon Lambda will use to set up your VPC network setup from the “ Security groups “ dropdown list. When you connect a Lambda function to a VPC, it loses its default internet access. If your AWS Lambda function requires external internet connectivity, check sure the selected security group(s) allows outbound connections and that your VPC has a NAT gateway attached.
      6.   Select Save to update the new configurations for the chosen  AWS Lambda function and associate it with specified VPC.

       

      References: