Rule: VPC Lambda functions should operate in more than one Availability Zone
This rule ensures VPC Lambda functions operate in multiple Availability Zones for fault tolerance.
| Rule | VPC Lambda functions should operate in more than one Availability Zone |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
In order to adhere to AWS Foundational Security Best Practices, it is recommended that Lambda functions within your Virtual Private Cloud (VPC) operate in more than one Availability Zone (AZ). By spreading the Lambda functions across multiple AZs, you ensure high availability and fault tolerance, enabling your application to handle failures in a single AZ without disruption.
Troubleshooting Steps:
To troubleshoot any issues related to Lambda functions operating in multiple Availability Zones, follow these steps:
- 1.
Check the VPC configuration: Verify that your VPC is correctly configured with multiple subnets spread across different AZs. Ensure that these subnets are associated with the Lambda function.
- 2.
Validate the function configuration: Review the configuration settings of the Lambda function. Make sure it is set to operate in a VPC and that the subnets associated with it are spread across different AZs.
- 3.
Check the function's execution logs: Analyze the CloudWatch logs for the function's executions. Look for any errors or disruptions that may indicate issues related to operating in multiple AZs.
- 4.
Verify network connectivity: Ensure that the security groups and network access control lists (ACLs) associated with the subnet permit the necessary inbound and outbound traffic for your Lambda function to communicate with other resources.
- 5.
Test function resilience: Use the AWS Lambda integration testing framework to simulate failures in individual AZs and observe if the function is able to handle such failures without disruptions.
Necessary Codes:
There are no specific codes associated with this rule, as it primarily involves configuration and design decisions within the AWS Management Console or via AWS Command Line Interface (CLI) commands.
Step-by-step Guide for Remediation:
Follow these steps to ensure that your VPC-based Lambda functions operate in more than one Availability Zone:
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the AWS Lambda service.
- 3.
Select the Lambda function you want to modify.
- 4.
Scroll down to the "Network settings" section and click on "Edit".
- 5.
Choose either an existing VPC or create a new one.
- 6.
In the "Subnets" section, ensure that you select subnets spread across multiple Availability Zones.
- 7.
Review the other configuration settings as necessary, such as security groups and function-specific parameters.
- 8.
Click on "Save" to apply the changes.
- 9.
Validate the changes by testing the function's operation and ensuring it can handle failures in individual Availability Zones without disruptions.
Note: You can also use AWS CLI to assign a Lambda function to a VPC and specify the subnets across multiple Availability Zones. The command would look something like this:
aws lambda update-function-configuration --function-name <function-name> --vpc-config SubnetIds=<comma-separated-subnet-ids>
Replace
<function-name><comma-separated-subnet-ids>By following these guidelines, you will adhere to the AWS Foundational Security Best Practices and ensure that your VPC Lambda functions are operating in more than one Availability Zone, providing high availability and fault tolerance for your applications.