Rule: Lambda Functions Configured with Dead-Letter Queue
Guideline stating Lambda functions should have a dead-letter queue configured.
| Rule | Lambda functions should be configured with a dead-letter queue |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Configuring AWS Lambda with a Dead-Letter Queue for NIST 800-53 Rev 5 Compliance
Understanding the Requirement
National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 provides a comprehensive set of security and privacy controls for federal information systems and organizations. For AWS Lambda, one of the recommendations to improve reliability and error handling is to configure Lambda functions with a dead-letter queue (DLQ). A DLQ is used to collect failed Lambda invocations for further analysis and recovery action.
Detailed Steps to Configure a Dead-Letter Queue
Step 1: Choose a DLQ Service
The first decision is selecting an Amazon service to act as your DLQ. AWS provides two primary choices for DLQs:
- Amazon Simple Queue Service (Amazon SQS)
- Amazon Simple Notification Service (Amazon SNS)
Make your selection based on whether you need a queue (SQS) or a notification system (SNS) to handle your DLQ messages.
Step 2: Create a DLQ
Once you've chosen your service, create a new SQS queue or SNS topic to be used as the DLQ.
For AWS SQS:
aws sqs create-queue --queue-name my-dead-letter-queue
For AWS SNS:
aws sns create-topic --name my-dead-letter-topic
Step 3: Configure Lambda Permissions
Ensure that your Lambda function has permission to write to the DLQ.
For AWS SQS:
Attach a policy to your Lambda role that allows the
sqs:SendMessageFor AWS SNS:
Attach a policy to your Lambda role that allows the
sns:PublishStep 4: Configure Lambda to Use the DLQ
After creating the DLQ and setting the necessary permissions, you can now configure the Lambda function to send unprocessed events to the DLQ.
Using AWS CLI:
aws lambda update-function-configuration --function-name my-function \ --dead-letter-config TargetArn=arn:aws:sqs:region:account-id:my-dead-letter-queue # Replace with your function’s name and the ARN of the DLQ you created
Using AWS Management Console:
- Go to the Lambda function's Configuration tab.
- Click on 'Asynchronous invocation'.
- Set the DLQ by selecting the target from the dropdown.
Step 5: Test the DLQ Configuration
Send a test event that you know will fail to confirm that messages are being directed to your DLQ.
Step 6: Monitor and Alarm
Create alarms and monitoring through Amazon CloudWatch for your DLQ to receive notifications when messages are sent to the DLQ.
aws cloudwatch put-metric-alarm --alarm-name my-dlq-alarm \ --metric-name ApproximateNumberOfMessagesVisible \ --namespace AWS/SQS --statistic Maximum \ --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \ --dimensions Name=QueueName,Value=my-dead-letter-queue \ --evaluation-periods 1 --alarm-actions arn:aws:sns:region:account-id:my-alarm-topic # Modify this command with appropriate values for your resources
Troubleshooting Common Issues
If DLQ is not receiving messages:
- Verify the Lambda function’s execution role permissions.
- Ensure the DLQ is properly configured on the Lambda function.
- Check that the error within the function triggers a retry and DLQ path (e.g., not every error type will be sent to DLQ).
If incorrect messages are reaching DLQ:
- Examine the function's error handling logic.
- Inspect CloudWatch logs for the Lambda function to understand why messages are failing.
Conclusion
Following these steps diligently will help achieve a more resilient AWS Lambda setup which is in compliance with NIST 800-53 Revision 5’s recommendations. Erecting a DLQ system stands as a best practice for error handling and aids in post-failure diagnostics and forensics.