Rule: Lambda functions should be in a VPC
This rule specifies that Lambda functions must be configured within a VPC for enhanced security measures.
| Rule | Lambda functions should be in a VPC |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
Rule Description:
The rule states that Lambda functions should be configured within a Virtual Private Cloud (VPC) in order to comply with the CISA Cyber Essentials guidelines. By placing Lambda functions within a VPC, network access and communication can be controlled, increasing the overall security posture of the application.
Troubleshooting steps (if any):
- 1.
Verify Lambda function networking settings: Check if the Lambda function is configured with a VPC. If not, proceed to modify the function's configuration.
- 2.
Validate VPC configuration: Ensure that the VPC configuration is properly set up with correct subnets, security groups, and routing rules.
- 3.
Check internet connectivity: Make sure that the VPC has internet connectivity through either a NAT gateway or a VPC endpoint to access AWS services.
- 4.
Verify security group rules: Validate that the security group associated with the Lambda function allows the necessary inbound/outbound traffic as per application requirements.
- 5.
Verify Lambda function resources: Ensure that the Lambda function has sufficient resources (e.g., memory, timeout values) assigned to successfully execute within the VPC.
Necessary Codes (if any):
No code snippets are required as this rule primarily focuses on the configuration and placement of Lambda functions within a VPC.
Step-by-step Guide for Remediation:
- 1.
Open the AWS Lambda Management Console.
- 2.
Select the desired Lambda function that needs to be placed within a VPC.
- 3.
In the Function overview section, click on the "Edit" button.
- 4.
Scroll down to the "Network" section.
- 5.
Click on the drop-down list under "VPC" and choose the appropriate VPC in which you want to place the Lambda function.
- 6.
Select the desired subnets within the VPC to configure the function's network access.
- 7.
Configure any required security groups by clicking on "Edit" under the "Security groups" section. Ensure that the inbound/outbound rules are properly configured as per the application's requirements.
- 8.
Confirm the changes by clicking on the "Save" button.
- 9.
Test the Lambda function to ensure proper execution and verify if any network-related issues arise due to the VPC placement.
- 10.
Monitor and troubleshoot any network connectivity or security group-related issues, if encountered, using CloudWatch logs and VPC flow logs.
- 11.
Repeat these steps for any other Lambda functions that need to be placed within a VPC.
Note: It's important to thoroughly test the Lambda function within the VPC to ensure that it functions as expected and doesn't encounter any runtime errors or connectivity issues.