Rule: Lambda Functions Should Be in a VPC
This rule states that all Lambda functions must be configured within a Virtual Private Cloud for security purposes.
| Rule | Lambda functions should be in a VPC |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Low |
Rule Description:
Lambda functions should be configured to run within a VPC (Virtual Private Cloud) environment to comply with the security requirements of FedRAMP Low Revision 4. Running Lambda functions within a VPC enhances the security of the function by providing network isolation and control over inbound and outbound traffic.
Troubleshooting Steps:
If Lambda functions are not configured to run within a VPC, follow the troubleshooting steps below to ensure compliance with the FedRAMP Low Revision 4 policy:
- 1.
Check Lambda Function Configuration: Verify the configuration of the Lambda function to confirm if it is currently running within a VPC or not.
- 2.
Review Security Group Settings: Ensure that the associated security group(s) allow inbound and outbound traffic as required for the Lambda function's execution. Make sure the security groups are correctly configured and associated with the Lambda function.
- 3.
Verify Subnet Configuration: Check if the Lambda function is associated with the correct subnet(s) within the VPC. Ensure that the subnets have the appropriate routing and network access control list (NACL) settings.
- 4.
Verify Internet Connectivity: If the Lambda function requires internet connectivity for any external service or resource access, ensure that the VPC has a NAT gateway or instance configured to provide outbound internet access.
- 5.
Review VPC Endpoints: If the Lambda function needs to access AWS services within the same region, consider using VPC endpoints to avoid sending traffic over the public internet. This can enhance security and reduce potential attack vectors.
- 6.
Check IAM Roles and Policies: Verify that the IAM roles associated with the Lambda function have the necessary permissions to access resources within the VPC, such as RDS databases or other EC2 instances.
Necessary Codes:
No specific codes are needed for this rule. The configuration changes will be done using the AWS Management Console or AWS Command Line Interface (CLI).
Step-by-Step Guide for Remediation:
Follow the steps below to configure your Lambda function to run within a VPC:
- 1.
Identify VPC Requirements: Determine the specific VPC configuration required for your Lambda function, such as the desired subnets, security groups, and internet connectivity.
- 2.
Create or Select a VPC: If you don't have an existing VPC, create a new VPC using the AWS Management Console or CLI. Alternatively, choose an existing VPC that meets the requirements for your Lambda function.
- 3.
Configure Subnets: Ensure that the VPC has the necessary subnets with appropriate routing and NACL settings. Select the subnets required for your Lambda function.
- 4.
Configure Security Groups: Create or update the security groups associated with your Lambda function to allow inbound and outbound traffic as needed. Ensure that the security groups are correctly associated with the Lambda function.
- 5.
Update Lambda Function Configuration: In the AWS Management Console, navigate to the Lambda service and select the desired function. In the "Configuration" tab, scroll down to the "Network" section and choose the VPC and subnets you want to associate with the function.
- 6.
Test and Validate: Once the Lambda function is configured to run within the VPC, test its functionality to ensure that it operates as expected. Monitor any network connectivity or resource access issues and address them accordingly.
By following these steps, you can ensure that your Lambda functions are running within a VPC, aligning with the FedRAMP Low Revision 4 policy and improving the overall security of your infrastructure.