More Info:

Your Amazon Lambda functions should have access to VPC-only resources such as AWS Redshift data warehouses, AWS ElastiCache clusters, AWS RDS database instances, and service endpoints that are only accessible from within a particular Virtual Private Cloud (VPC).

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Lambda Should Have Access To VPC-only Resources” for AWS using AWS console, you can follow the below steps:
  1. Go to the AWS Lambda console.
  2. Select the Lambda function that needs to access VPC-only resources.
  3. Click on the “Configuration” tab.
  4. Scroll down to the “Network” section.
  5. Click on “Edit”.
  6. Select the VPC that has the required resources.
  7. Select the subnets that the Lambda function needs to access.
  8. If required, select the security groups that the Lambda function needs to access.
  9. Click on “Save” to apply the changes.
By following the above steps, the Lambda function will have access to VPC-only resources.

To remediate the misconfiguration “Lambda Should Have Access To VPC-only Resources” in AWS using AWS CLI, you can follow the below steps:
  1. Open the AWS CLI on your local machine or EC2 instance.
  2. Run the following command to create a new VPC configuration file: 
aws ec2 create-vpc --cidr-block <CIDR_BLOCK>
Here, replace <CIDR_BLOCK> with the CIDR block range you want to use for your VPC.
  1. Run the following command to create a new subnet within the VPC:
aws ec2 create-subnet --vpc-id <VPC_ID> --cidr-block <SUBNET_CIDR_BLOCK>
Here, replace <VPC_ID> with the ID of the VPC you created in step 2 and <SUBNET_CIDR_BLOCK> with the CIDR block range you want to use for your subnet.
  1. Run the following command to create a new security group for the Lambda function:
aws ec2 create-security-group --group-name <SECURITY_GROUP_NAME> --description "<SECURITY_GROUP_DESCRIPTION>" --vpc-id <VPC_ID>
Here, replace <SECURITY_GROUP_NAME> with the name you want to give your security group, <SECURITY_GROUP_DESCRIPTION> with a brief description of the security group, and <VPC_ID> with the ID of the VPC you created in step 2.
  1. Run the following command to modify the security group to allow inbound traffic from the VPC:
aws ec2 authorize-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol all --cidr <SUBNET_CIDR_BLOCK>
Here, replace <SECURITY_GROUP_ID> with the ID of the security group you created in step 4 and <SUBNET_CIDR_BLOCK> with the CIDR block range of the subnet you created in step 3.
  1. Run the following command to create a new execution role for the Lambda function:
aws iam create-role --role-name <ROLE_NAME> --assume-role-policy-document file://trust-policy.json
Here, replace <ROLE_NAME> with the name you want to give your execution role and trust-policy.json with the file path to your trust policy document.
  1. Run the following command to attach the necessary policies to the execution role:
aws iam attach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Here, replace <ROLE_NAME> with the name of the execution role you created in step 6.
  1. Run the following command to update the Lambda function to use the VPC and security group:
aws lambda update-function-configuration --function-name <FUNCTION_NAME> --vpc-config SubnetIds=<SUBNET_ID>,SecurityGroupIds=<SECURITY_GROUP_ID> --role <ROLE_ARN>
Here, replace <FUNCTION_NAME> with the name of the Lambda function you want to update, <SUBNET_ID> with the ID of the subnet you created in step 3, <SECURITY_GROUP_ID> with the ID of the security group you created in step 4, and <ROLE_ARN> with the ARN of the execution role you created in step 6.
  1. Run the following command to test the Lambda function to ensure it has access to VPC-only resources:
aws lambda invoke --function-name <FUNCTION_NAME> --payload '{}' output.json
Here, replace <FUNCTION_NAME> with the name of the Lambda function you updated in step 8.These steps should remediate the misconfiguration “Lambda Should Have Access To VPC-only Resources” in AWS using AWS CLI.
To remediate the Lambda function not having access to VPC-only resources in AWS, you can follow the below steps:
  1. Open the AWS Management Console and navigate to the Lambda service page.
  2. Locate the Lambda function that needs to access VPC-only resources and click on it.
  3. Click on the “Configuration” tab and scroll down to the “VPC” section.
  4. Click on the “Edit” button to edit the VPC configuration.
  5. Select the VPC that the Lambda function needs to access and select at least one subnet in each Availability Zone.
  6. Select the security groups that allow access to the resources needed by the Lambda function.
  7. Click on the “Save” button to save the updated VPC configuration.
Now, the Lambda function will have access to VPC-only resources.Here is a sample Python code to create a Lambda function with access to VPC-only resources:
import boto3

def lambda_handler(event, context):
    # Create an EC2 client
    ec2 = boto3.client('ec2')
    
    # Describe instances in the VPC
    response = ec2.describe_instances()
    
    # Print the instances
    for reservation in response["Reservations"]:
        for instance in reservation["Instances"]:
            print(instance["InstanceId"])
Make sure to attach the appropriate VPC and security group to the Lambda function while creating it.

Additional Reading: