Rule: Lambda functions should be in a VPC

Rule Description

Troubleshooting Steps

2. 1.

   Check Lambda function configuration: Verify that your Lambda function is not explicitly configured to run outside a VPC. If it is, you will need to modify the function configuration accordingly.

4. 2.

   Review subnet configuration: Ensure that your VPC has appropriate subnets configured. Make sure that these subnets have the correct route tables and security groups associated and that they allow the necessary inbound and outbound network traffic.

6. 3.

   Check internet connectivity: Validate that your VPC is properly connected to the internet. Lambda functions running within a VPC require an internet gateway or NAT gateway to access external resources.

8. 4.

   Verify security group settings: Confirm that the security group associated with your VPC allows the required traffic to reach the Lambda function. Ensure that inbound and outbound rules are properly configured to allow connectivity to other AWS services and external resources.

10. 5.

    Check for DNS resolution: If your Lambda function requires DNS resolution to communicate with other resources, verify that your VPC's DNS settings are properly configured. Ensure that DNS resolution is enabled within your VPC and that DNS server addresses are correctly specified.

Necessary Codes

Resources:
  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: MyFunction
      Handler: index.handler
      Runtime: nodejs14.x
      Code:
        S3Bucket: my-bucket
        S3Key: my-function.zip
      VpcConfig:
        SecurityGroupIds:
          - sg-xxxxxxxx
        SubnetIds:
          - subnet-xxxxxxxx

Step-by-Step Guide for Remediation

2. 1.

   Identify the target Lambda function: Determine the Lambda function(s) that need to be configured to run within a VPC.

4. 2.

   Create or select a VPC: If you don't already have a VPC, create a new one using the Amazon VPC service. Alternatively, you can select an existing VPC.

6. 3.

   Configure subnets: Ensure the VPC has at least one subnet with proper routing and security group settings. If needed, create and configure subnets within the VPC.

8. 4.

   Collect security group information: Identify the security group(s) that allow the necessary inbound and outbound network traffic for your Lambda function(s).

10. 5.

    Update Lambda function configuration: Modify the configuration of the target Lambda function(s) to enable VPC support.

    • Using AWS Management Console:

      • Go to the AWS Lambda service page.
      • Select the target Lambda function.
      • In the "Configuration" tab, scroll down to the "Network" section.
      • Click "Edit" and choose the desired VPC and associated subnets.
      • Select the appropriate security group(s) for the Lambda function.
      • Save the changes.

    • Using AWS CLI:

      • Open a terminal or command prompt.
      • Run the following command, replacing the placeholders with your actual values:

      aws lambda update-function-configuration --function-name MyFunction --vpc-config SubnetIds=subnet-xxxxxxxx,SecurityGroupIds=sg-xxxxxxxx
      
12. 6.

    Test the Lambda function: After modifying the Lambda function's configuration, execute and test the function to ensure it functions correctly within the VPC.

14. 7.

    Monitor and iterate: Regularly monitor the performance and behavior of your Lambda function(s) within the VPC. Make any necessary adjustments to the VPC configuration, such as updating security group rules, to ensure optimal network connectivity and security.