Rule: Lambda functions should be configured with a dead-letter queue
This rule ensures Lambda functions have a dead-letter queue for better error handling.
| Rule | Lambda functions should be configured with a dead-letter queue |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description
Lambda functions should be configured with a dead-letter queue to comply with the security requirement NIST 800-171 Revision 2. This rule ensures that any failed Lambda function invocations have a designated queue for error handling and logging purposes.
Troubleshooting Steps
If your Lambda function does not have a dead-letter queue configured, follow these steps to troubleshoot the issue:
- 1.
Check Lambda Configuration: Verify that the dead-letter queue configuration is indeed missing in the Lambda function.
- 2.
Review CloudWatch Logs: Check the CloudWatch Logs for the Lambda function to see if any error messages or exceptions are being logged.
- 3.
Investigate Function Role Permissions: Ensure that the IAM role associated with the Lambda function has the necessary permissions to write to the dead-letter queue. Check for any permission-related errors in the function's execution log.
- 4.
Examine Queue Permissions: Validate the permissions of the dead-letter queue to confirm that Lambda has the necessary write permissions to the queue.
- 5.
Test Function Invocation: Invoke the Lambda function and monitor the response. If the function fails, ensure that the error is not due to a missing dead-letter queue.
Code Configuration
To configure a dead-letter queue for a Lambda function, you can use the AWS CLI or AWS Management Console. Below are the necessary steps for both options:
Using AWS Management Console:
- 1.
Open the AWS Management Console and navigate to the AWS Lambda service.
- 2.
Select the Lambda function for which you want to configure the dead-letter queue.
- 3.
Under the Configuration tab, scroll down to the Dead Letter Queue section and click "Edit".
- 4.
Choose an existing SQS (Simple Queue Service) queue or create a new one.
- 5.
Click "Save" to apply the changes.
Using AWS CLI:
- 1.
Open your preferred command-line interface.
- 2.
Use the
command, specifying the function name and theaws lambda update-function-configuration
parameter with the ARN (Amazon Resource Name) of the desired dead-letter queue.--dead-letter-config
aws lambda update-function-configuration \ --function-name <function-name> \ --dead-letter-config TargetArn=<dead-letter-queue-arn>
- 1.Execute the command and verify the successful update of the Lambda function's configuration.
Remediation Steps
To remediate the issue of not having a dead-letter queue configured for a Lambda function, follow these steps:
- 1.
Identify the Lambda functions for which a dead-letter queue needs to be configured.
- 2.
Choose the appropriate method (AWS Management Console or AWS CLI) to configure the dead-letter queue as mentioned in the previous section.
- 3.
If using the AWS Management Console:
- Navigate to the Lambda service in the AWS Management Console.
- Select the Lambda function that requires a dead-letter queue.
- Under the Configuration tab, locate the Dead Letter Queue section.
- Click "Edit" and select an existing SQS queue or create a new one.
- Click "Save" to apply the changes.
- 4.
If using the AWS CLI:
- Open your preferred command-line interface.
- Use the
command as specified in the previous section.aws lambda update-function-configuration - Replace
and<function-name>
with the appropriate values.<dead-letter-queue-arn> - Execute the command to update the Lambda function's configuration.
- 5.
Verify that the dead-letter queue configuration is successful by checking the Lambda function's details or using the AWS CLI.
- 6.
Retest the Lambda function to ensure that any failed invocations are sent to the configured dead-letter queue for error handling and troubleshooting purposes.
Note: It is essential to ensure that the designated dead-letter queue has proper permissions in place, granting Lambda write access to the queue.