AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Lambda Should Have Access To VPC-only Resources
More Info:
Your Amazon Lambda functions should have access to VPC-only resources such as AWS Redshift data warehouses, AWS ElastiCache clusters, AWS RDS database instances, and service endpoints that are only accessible from within a particular Virtual Private Cloud (VPC).
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Lambda Should Have Access To VPC-only Resources” for AWS using AWS console, you can follow the below steps:
- Go to the AWS Lambda console.
- Select the Lambda function that needs to access VPC-only resources.
- Click on the “Configuration” tab.
- Scroll down to the “Network” section.
- Click on “Edit”.
- Select the VPC that has the required resources.
- Select the subnets that the Lambda function needs to access.
- If required, select the security groups that the Lambda function needs to access.
- Click on “Save” to apply the changes.
By following the above steps, the Lambda function will have access to VPC-only resources.
To remediate the misconfiguration “Lambda Should Have Access To VPC-only Resources” in AWS using AWS CLI, you can follow the below steps:
-
Open the AWS CLI on your local machine or EC2 instance.
-
Run the following command to create a new VPC configuration file:
aws ec2 create-vpc --cidr-block <CIDR_BLOCK>
Here, replace <CIDR_BLOCK> with the CIDR block range you want to use for your VPC.
- Run the following command to create a new subnet within the VPC:
aws ec2 create-subnet --vpc-id <VPC_ID> --cidr-block <SUBNET_CIDR_BLOCK>
Here, replace <VPC_ID> with the ID of the VPC you created in step 2 and <SUBNET_CIDR_BLOCK> with the CIDR block range you want to use for your subnet.
- Run the following command to create a new security group for the Lambda function:
aws ec2 create-security-group --group-name <SECURITY_GROUP_NAME> --description "<SECURITY_GROUP_DESCRIPTION>" --vpc-id <VPC_ID>
Here, replace <SECURITY_GROUP_NAME> with the name you want to give your security group, <SECURITY_GROUP_DESCRIPTION> with a brief description of the security group, and <VPC_ID> with the ID of the VPC you created in step 2.
- Run the following command to modify the security group to allow inbound traffic from the VPC:
aws ec2 authorize-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol all --cidr <SUBNET_CIDR_BLOCK>
Here, replace <SECURITY_GROUP_ID> with the ID of the security group you created in step 4 and <SUBNET_CIDR_BLOCK> with the CIDR block range of the subnet you created in step 3.
- Run the following command to create a new execution role for the Lambda function:
aws iam create-role --role-name <ROLE_NAME> --assume-role-policy-document file://trust-policy.json
Here, replace <ROLE_NAME> with the name you want to give your execution role and trust-policy.json with the file path to your trust policy document.
- Run the following command to attach the necessary policies to the execution role:
aws iam attach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Here, replace <ROLE_NAME> with the name of the execution role you created in step 6.
- Run the following command to update the Lambda function to use the VPC and security group:
aws lambda update-function-configuration --function-name <FUNCTION_NAME> --vpc-config SubnetIds=<SUBNET_ID>,SecurityGroupIds=<SECURITY_GROUP_ID> --role <ROLE_ARN>
Here, replace <FUNCTION_NAME> with the name of the Lambda function you want to update, <SUBNET_ID> with the ID of the subnet you created in step 3, <SECURITY_GROUP_ID> with the ID of the security group you created in step 4, and <ROLE_ARN> with the ARN of the execution role you created in step 6.
- Run the following command to test the Lambda function to ensure it has access to VPC-only resources:
aws lambda invoke --function-name <FUNCTION_NAME> --payload '{}' output.json
Here, replace <FUNCTION_NAME> with the name of the Lambda function you updated in step 8.
These steps should remediate the misconfiguration “Lambda Should Have Access To VPC-only Resources” in AWS using AWS CLI.
To remediate the Lambda function not having access to VPC-only resources in AWS, you can follow the below steps:
- Open the AWS Management Console and navigate to the Lambda service page.
- Locate the Lambda function that needs to access VPC-only resources and click on it.
- Click on the “Configuration” tab and scroll down to the “VPC” section.
- Click on the “Edit” button to edit the VPC configuration.
- Select the VPC that the Lambda function needs to access and select at least one subnet in each Availability Zone.
- Select the security groups that allow access to the resources needed by the Lambda function.
- Click on the “Save” button to save the updated VPC configuration.
Now, the Lambda function will have access to VPC-only resources.
Here is a sample Python code to create a Lambda function with access to VPC-only resources:
import boto3
def lambda_handler(event, context):
# Create an EC2 client
ec2 = boto3.client('ec2')
# Describe instances in the VPC
response = ec2.describe_instances()
# Print the instances
for reservation in response["Reservations"]:
for instance in reservation["Instances"]:
print(instance["InstanceId"])
Make sure to attach the appropriate VPC and security group to the Lambda function while creating it.