How critical is it that a Lambda Function be deployed in a vpc
I'm deploying a lambda function using AWS Cloudformation template and cfn_nag requires this to be deployed in a VPC "Lambda functions should be deployed inside a VPC". If this is critical how would I go about ensuring that the VPC will allow the lambda function to reach the internet?
- Newest
- Most votes
- Most comments
There are 3 reasons to attach a function to a VPC:
- You need to access private resources from the Lambda functions.
- You need outgoing traffic from the Lambda function to show as coming from a specific IP (in order to add it to an allow list). You do it by attaching the function to the VPC and configuring a NAT Gateway with an Elastic IP address.
- You need to have some control over the outgoing traffic from the function. You do it by deploying some outbound proxy that can inspect the traffic and routing the function to that proxy.
Besides those reasons, there is no enhanced security for your function, and there is no reason to attach it to the VPC.
Looking at enterprise level, it is important to create your resources like lambda function within VPC (not necessarily it helps for endpoints but also from enterprise security point of view). Also following the AWS best practices, the name of lambda function should be limited to certain prefix along with assumed role permissions to pass lambda execution role. In terms of network settings, having mandatory to select VPC with atleast 2 subnets and a security group should be enforced while giving different teams the permissions to create lambda functions.
From security point of view (depends upon at what elevel you want to work), it is not recommended to have public internet connected to your resources directly and have an architecture designed within your private VPC in your enterprise.
If working at workload accounts for multi-account strategy, SCP can be enforced at management account level for all member accounts, so same practice is followed at organization level.
I believe lambda only needs to be connected to your VPC if you wish for it to consume resources (VPC endpoints etc) or access databases such as private RDS.
Connecting lambda on your VPC gives you the extra control and monitoring of network traffic.
If lambda is connected to your VPC, ensure it’s connected to a subnet which has a route to a NAT gateway.
NAT gateway then routes to an Internet gateway.
Relevant content
- asked a year ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
Attaching a function to a VPC does not help with its security posture. Even when you attach the function to a VPC, the invocation is still done via Lambda's public API. You need to have the appropriate permissions to invoke the function.
Yes sure, I agree with the statement as VPC alone is not complete solution for security, but it also depends upon how AWS is accessed in an organization within own VPN as well as how IAM permissions are granted for different stages of work like dev to prod with recommended automation pipelines in production to invoke lambda function or event trigers as well but I agree with your point above.