Rule: Lambda functions should be in a VPC
A guideline stating that Lambda functions must be within a VPC
| Rule | Lambda functions should be in a VPC |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Low |
Rule Description
Lambda functions should be configured to run within a Virtual Private Cloud (VPC) for compliance with FedRAMP Moderate Revision 4 requirements. Running Lambda functions within a VPC ensures better security and isolates the function's network traffic from the public internet.
Remediation
To comply with the rule, you need to configure your Lambda function to run within a VPC. Follow the step-by-step guide below for the necessary remediation:
Step 1: Determine VPC Configuration
- 1.Identify the existing VPC in your AWS account or create a new VPC if one does not already exist.
Step 2: Configure Lambda Function
- 1.
Open the AWS Management Console and navigate to the Lambda service.
- 2.
Select the relevant Lambda function that needs to be configured within a VPC.
- 3.
Click on the "Configuration" tab.
- 4.
Scroll down to the "Network settings" section and click on "Edit" for the "VPC" configuration.
- 5.
Select the desired VPC from the dropdown list.
- 6.
Choose the appropriate subnets within the VPC for your Lambda function to use.
- 7.
Define the Security Groups that should be associated with the Lambda function.
- 8.
Click on "Save" to apply the changes.
Step 3: Configure VPC Networking
- 1.
Open the Amazon VPC service in the AWS Management Console.
- 2.
Navigate to the "Subnets" section.
- 3.
Ensure that the chosen subnets for the Lambda function are appropriately configured to meet your networking requirements.
- 4.
Consider configuring Network Access Control Lists (NACLs) to restrict inbound and outbound traffic for the subnets, if necessary.
- 5.
Review and modify the Security Groups associated with the Lambda function to allow the required inbound and outbound traffic.
Troubleshooting Steps
If you encounter any issues while configuring your Lambda function to run within a VPC, consider the following troubleshooting steps:
- 1.
Issue: Unable to select the desired VPC from the dropdown list.
- Possible Solution: Ensure that the Lambda function and the VPC are in the same region. If they are not, you may need to recreate the Lambda function in the desired region or create the VPC in the same region as the Lambda function.
- 2.
Issue: Network connectivity issues after configuring the Lambda function within a VPC.
- Possible Solution: Check the route tables associated with the selected subnets and ensure they have the appropriate routes set up to allow desired inbound and outbound traffic. Also, verify that the security groups associated with the Lambda function allow the necessary network traffic.
- 3.
Issue: Unexpected latency or performance issues after configuring the Lambda function within a VPC.
- Possible Solution: Consider adjusting the subnet selection for the Lambda function to ensure it is in a subnet that has the necessary resources and capacity to meet the function's performance requirements. Additionally, review and optimize the associated security group rules for efficiency.
Code Samples
There are no specific code samples required for this configuration. However, you may use the AWS Command Line Interface (CLI) or AWS CloudFormation to programmatically configure your Lambda function's VPC settings.
Example AWS CLI command to update Lambda function configuration:
aws lambda update-function-configuration \ --function-name <lambda-function-name> \ --vpc-config SubnetIds=<subnet-ids>,SecurityGroupIds=<security-group-ids>
Replace
<lambda-function-name><subnet-ids><security-group-ids>Please note that the actual syntax and parameter names may vary depending on the version of AWS CLI you are using.
Conclusion
By configuring your Lambda function to run within a VPC, you ensure compliance with FedRAMP Moderate Revision 4 requirements related to network isolation and security. Following the provided guidelines and steps will help you successfully configure your Lambda functions within a VPC and meet the necessary compliance standards.