Rule: Lambda Functions Configured with Dead-Letter Queue
Ensure Lambda functions are configured with a dead-letter queue for System and Information integrity (SI).
| Rule | Lambda functions should be configured with a dead-letter queue |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
According to the NIST 800-53 Revision 5 guidelines, Lambda functions should be configured with a dead-letter queue. This ensures that any failed invocations of the Lambda function will be recorded and stored in a separate queue for analysis and troubleshooting purposes.
Policy Implementation
To implement this policy for Lambda functions, you need to configure a dead-letter queue. This can be achieved by following the steps below:
Step 1: Create a Dead-Letter Queue
- 1.
Open the Amazon Simple Queue Service (SQS) console.
- 2.
Click on "Create queue".
- 3.
Select "Standard Queue" as the queue type.
- 4.
Enter a unique name for the queue, such as "lambda-dead-letter-queue".
- 5.
Configure any necessary settings for the queue, such as message retention period and access permissions.
- 6.
Click on "Create queue" to create the dead-letter queue.
Step 2: Configure Lambda Function
- 1.
Open the AWS Lambda console.
- 2.
Select the Lambda function you want to configure with a dead-letter queue.
- 3.
Click on "Configuration" tab in the function's detail page.
- 4.
Scroll down to the "Dead-letter queue" section.
- 5.
Click on "Edit" to configure the dead-letter queue.
- 6.
Select the previously created dead-letter queue from the dropdown menu.
- 7.
Adjust any other settings related to the dead-letter queue, such as maximum receives and visibility timeout.
- 8.
Click on "Save" to apply the changes to the Lambda function.
Troubleshooting Steps
If you encounter any issues while implementing or configuring the dead-letter queue for Lambda functions, you can follow the troubleshooting steps mentioned below:
- 1.
Ensure that the IAM role associated with the Lambda function has the necessary permissions to access the dead-letter queue. Check that the role has the required SQS permissions.
- 2.
Double-check that the dead-letter queue exists and is properly configured. Verify the queue name and settings.
- 3.
Review the CloudWatch logs for the Lambda function to identify any error or failure messages related to the dead-letter queue configuration. This can help in pinpointing the specific issue.
- 4.
If the Lambda function is not sending messages to the dead-letter queue, check the function's code and verify that the error handling logic is correctly implemented.
- 5.
If the dead-letter queue receives messages but they are not processed or consumed, investigate the function's code and verify that the message retrieval and processing logic is working as expected.
- 6.
If troubleshooting steps do not resolve the issue, consider reaching out to AWS Support for further assistance.
Code Example
If you prefer to use AWS CloudFormation to configure the dead-letter queue for Lambda functions, you can use the following example code in your CloudFormation template:
Resources:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: MyLambdaFunction
Runtime: python3.8
Handler: lambda_function.lambda_handler
Role: !GetAtt MyLambdaRole.Arn
...
DeadLetterConfig:
TargetArn: !GetAtt MyDeadLetterQueue.Arn
MyDeadLetterQueue:
Type: "AWS::SQS::Queue"
Properties:
QueueName: MyDeadLetterQueue
...
This code snippet creates both the Lambda function and the dead-letter queue, and then associates the dead-letter queue with the Lambda function.
Note: Make sure to replace
MyLambdaFunctionMyDeadLetterQueueBy following the above rule and troubleshooting steps, you will be able to configure Lambda functions with a dead-letter queue, as required by the NIST 800-53 Revision 5 guidelines.