Rule: Lambda functions should be in a VPC
This rule specifies that Lambda functions must be placed within a VPC for enhanced security measures.
| Rule | Lambda functions should be in a VPC |
| Framework | PCI v3.2.1 |
| Severity | ✔ Low |
Rule Description:
The rule states that all Lambda functions must be configured within a Virtual Private Cloud (VPC) in order to comply with the Payment Card Industry Data Security Standard (PCI DSS) version 3.
Remediation Steps:
- 1.
Identify Lambda Functions:
- Review your Lambda functions to identify which ones are not currently configured within a VPC.
- 2.
Create a VPC:
- If you don't have a VPC already, create a new VPC. Ensure that the VPC has at least one subnet and an associated Internet Gateway.
- 3.
Create Subnets:
- In the VPC, create one or more subnets that meet your specific requirements. It is generally recommended to have subnets in multiple Availability Zones for fault tolerance.
- 4.
Configure Security Groups:
- Define appropriate security groups to control the inbound and outbound traffic for your Lambda functions. Ensure that the necessary ports are open for your specific application needs, while maintaining the principle of least privilege.
- 5.
Configure NAT Gateway (Optional):
- If your Lambda functions require internet access, consider setting up a Network Address Translation (NAT) Gateway in a public subnet to enable outbound internet traffic.
- 6.
Update Lambda Function Settings:
- For each identified Lambda function, follow these steps:
- Go to the AWS Management Console or use the AWS CLI to navigate to the Lambda service.
- Select the Lambda function that needs to be configured within a VPC.
- Open the function's configuration settings.
- Scroll down to the "Network" section.
- Enable "VPC" and select the VPC and subnets you created earlier.
- Configure the security groups to allow desired inbound and outbound traffic.
- Save the configuration.
- 7.
Test and Monitor:
- After updating the Lambda function settings, thoroughly test the function's behavior to ensure it is still functioning as expected.
- Monitor the function's performance and logs to identify and rectify any issues that may arise due to the VPC configuration.
Troubleshooting Steps:
If you encounter any issues during the process or face unexpected behavior, consider the following troubleshooting steps:
- 1.
Ensure VPC and Subnet Setup:
- Double-check that the VPC and associated subnets are configured correctly and have proper routing and internet connectivity if required.
- 2.
Verify Security Group Rules:
- Review the security group settings for the Lambda function and ensure that the necessary ports are open, and inbound/outbound rules are correctly defined.
- 3.
Check IAM Permissions:
- Make sure the associated IAM roles and policies have the necessary permissions to access VPC resources and Lambda functions within a VPC.
- 4.
Diagnose Connectivity Issues:
- Review CloudWatch logs and other monitoring metrics to identify any connectivity issues, errors, or timeouts.
- Check for any limitations on VPC endpoints, NAT gateways, or internet connectivity within your VPC.
Additional Notes:
- Configuring Lambda functions within a VPC provides isolation, enhanced security, and more control over network configurations.
- Take into consideration the impact on function performance and availability when making changes to network settings.
- Regularly review and update VPC configurations, security group rules, and subnet configurations to adhere to best practices and any changes in compliance requirements.