KMS decrypt error inside Lambda in VPC network timeout


I have a lambda which needs to be exposed to the internet and also needs outgoing internet network access. This lambda needs to decrypt some environment variables on startup (KMS). This encryption fails sometimes. This lambda is running in a VPC with 2 private subnets and 1 public. The private subnets have a routing table to NAT-gateway. The lambda has required KMS permissions. Also I configured a VPC endpoint for KMS. However I get frequently network timeout errors to KMS INFO Decrypt error: Error: read ECONNRESET at TLSWrap.onStreamRead (node:internal/stream_base_commons:217:20) { errno: -104, code: 'ECONNRESET', syscall: 'read', name: 'TimeoutError', '$metadata': { attempts: 7, totalRetryDelay: 5866 } } Any suggestions are more then welcome. Thanks in advance.

已提问 1 年前755 查看次数
1 回答

Is the subnet where Lambda is located a private subnet?
Or is it a public subnet?
Do you have KMS VPC endpoints set up on public subnets as well?
Lambdas in the VPC do not have a global IP address even if they are located on a public subnet, so you need to set up a VPC endpoint.
Alternatively, you can also communicate by manually setting a public IP address in the Lambda's ENI.
Otherwise, make sure that the required security groups are set up for the KMS VPC endpoints

profile picture
已回答 1 年前
profile picture
已审核 5 天前
  • The lambda is on both a private and public subnet. I don't have KMS VPC endpoints setup on the public subnets only on private subnets. I will try that and see whether this solves the problem. Thanks !

  • In my case, both Lambda and KMS VPC endpoint are in a private subnet without internet access. Lambda's security group allows any outgoing traffic. Incoming traffic from the whole VPC is allowed. The function connects to Amazon MQ successfully (located in a public network, not accessible from the Internet). But the decrypt API function call still hangs and the function fails by timeout. What I'm doing wrong?

您未登录。 登录 发布回答。