Rule: Lambda functions should be in a VPC
This rule specifies that Lambda functions must be in a Virtual Private Cloud (VPC) for better security measures.
| Rule | Lambda functions should be in a VPC |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Low |
Rule Description:
In order to meet the security requirements of the Federal Financial Institutions Examination Council (FFIEC), all Lambda functions within the organization must be deployed within a Virtual Private Cloud (VPC). This ensures that the Lambda functions are isolated from the public internet and can only access resources within the VPC.
Troubleshooting Steps:
- 1.
Verify Lambda function configuration: Check the configuration of the Lambda function to ensure that it is not already running outside the VPC. If it is, it will need to be reconfigured to run within the VPC.
- 2.
Check VPC configuration: Ensure that the VPC has the appropriate networking settings and resources required for the Lambda function to operate correctly. This includes subnets, route tables, security groups, and network ACLs.
- 3.
Verify execution role permissions: Check the permissions associated with the execution role assigned to the Lambda function. The role should have the necessary permissions to access resources within the VPC.
- 4.
Review VPC endpoint configurations: If the Lambda function requires access to other AWS services, such as S3 or DynamoDB, check if VPC endpoints are configured appropriately to allow access to these services within the VPC.
Necessary Code:
There are no specific code snippets required for this rule. However, here is an example of the AWS CloudFormation template configuration for a Lambda function inside a VPC:
Resources:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: MyLambda
Runtime: python3.8
Handler: lambda_function.handler
Role: !GetAtt LambdaExecutionRole.Arn
VpcConfig:
SubnetIds:
- subnet-12345
- subnet-67890
SecurityGroupIds:
- sg-abcdef
In this example, the
VpcConfigRemediation Steps:
To deploy an existing Lambda function within a VPC or create a new Lambda function that is VPC-enabled, follow these steps:
- 1.
Identify the VPC: Determine the VPC in which the Lambda function should be deployed. If no suitable VPC exists, you may need to create a new VPC.
- 2.
Configure the necessary subnets: Identify the subnets within the VPC where the Lambda function will operate. Ensure that these subnets have the appropriate routing and network ACL configurations required for the function.
- 3.
Configure VPC security groups: Create or identify the VPC security group(s) to be associated with the Lambda function. Ensure that these security groups allow inbound and outbound traffic as needed for the function's requirements.
- 4.
Update or recreate the Lambda function: Modify the existing Lambda function configuration or create a new function as per your requirements. Ensure that the
section is correctly defined with the appropriate subnet and security group IDs.VpcConfig - 5.
Test the Lambda function: After deploying the Lambda function within the VPC, test its functionality to ensure that it can access the required resources within the VPC and behaves as expected.
Remember to regularly review and monitor the Lambda function's VPC configuration to ensure that it remains compliant with the FFIEC regulations.