Rule: Lambda functions should be in a VPC
This rule ensures that Lambda functions are placed within a VPC for enhanced security measures.
| Rule | Lambda functions should be in a VPC |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
Rule/Policy: Lambda functions should be in a VPC for CISA-cyber-essentials
Description:
Lambda functions are serverless compute resources provided by Amazon Web Services (AWS) that allow you to run code without the need to provision or manage servers. To ensure compliance with CISA Cyber Essentials guidelines, it is recommended to configure Lambda functions within a Virtual Private Cloud (VPC). Placing Lambda functions in a VPC provides additional security measures by limiting network access, enhancing isolation, and controlling traffic flow.
Troubleshooting:
If Lambda functions are not configured within a VPC, it may expose them to potential security risks, such as unauthorized access and data breaches. To troubleshoot and verify if Lambda functions are already in a VPC, follow the steps below:
- 1.Open the AWS Management Console.
- 2.Navigate to the Lambda service.
- 3.Select the desired Lambda function.
- 4.Check the "Configuration" tab for any VPC details.
- 5.If the VPC field is empty, it means the Lambda function is not currently in a VPC.
Necessary Codes:
If the Lambda function is not in a VPC, you can use the following code snippet to associate it with a VPC:
import boto3
def lambda_handler(event, context):
client = boto3.client('lambda')
function_name = 'your_lambda_function_name'
vpc_id = 'your_vpc_id'
subnet_ids = ['subnet_id1', 'subnet_id2']
security_group_ids = ['security_group_id']
response = client.update_function_configuration(
FunctionName=function_name,
VpcConfig={
'SubnetIds': subnet_ids,
'SecurityGroupIds': security_group_ids
}
)
return response
These code snippets use the AWS SDK for Python (Boto3) to update the Lambda function's configuration and associate it with a VPC. Replace the placeholders ('your_lambda_function_name', 'your_vpc_id', 'subnet_id1', 'subnet_id2', 'security_group_id') with the appropriate values specific to your environment.
Step-by-step Guide for Remediation:
To configure a Lambda function within a VPC, follow these steps:
- 1.Open the AWS Management Console.
- 2.Navigate to the Lambda service.
- 3.Select the desired Lambda function.
- 4.Click on the "Configuration" tab.
- 5.Under the "Network" section, click on the "Edit" button.
- 6.Select the desired VPC from the dropdown menu.
- 7.Choose the appropriate subnets and security groups that you want to associate with the Lambda function.
- 8.Click on the "Save" button to apply the changes.
- 9.Verify that the Lambda function is now associated with the desired VPC by checking the configuration details.
By following the above steps, you have successfully configured your Lambda function within a VPC, ensuring compliance with the CISA Cyber Essentials guidelines.