In VPC, EC2 works, lambda fails on call to iot:describe-endpoint


I have an EC2 instance and a lambda. They have the same:

  • region
  • VPC
  • subnets
  • security groups
  • inbound rules
  • outbound rules
  • iot permissions

On EC2:

$ aws iot describe-endpoint --endpoint-type iot:Data-ATS

returns my accounts endpoint address.

I want to run the equivalent on a lambda:

const client = new IoTClient({});
const response = await client.send(
            new DescribeEndpointCommand({ endpointType: "iot:Data-ATS" })

client does not return (and the lambda times out).

If I move the lambda out of the VPC, client returns a response and it is correct.

I cannot see why describe-endpoint works on EC2 in a VPC, but not on lambda in the same VPC (with the same apparent subnet, security group, and permissions).

asked 9 days ago101 views
2 Answers
Accepted Answer


Is there a route to the NAT Gateway in the route table for the subnet that Lambda is using?
Even if Lambda is tied to a public subnet, the ENI is not set to a public IP address, so API execution, etc. will fail.
So you need to set up a NAT Gateway, VPC endpoints, etc. to avoid this.

profile picture
answered 9 days ago
  • the ENI is not set to a public IP address

    I had forgotten about that. Thank you very much.


Lambda functions that you attach to a VPC do not have internet access like Lambda functions which you do not attach. If your function is attached to a VPC, it must be attached to private subnets and you also need an IoT core VPC endpoint or a NAT Gateway and a route in the private subnets to the NAT Gateway.

You should only attach the function to the VPC if you actually need to access resources within the VPC.

profile pictureAWS
answered 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions