Rule: Lambda functions should be in a VPC
Ensure compliance by placing lambda functions in a VPC
| Rule | Lambda functions should be in a VPC |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Low |
Rule Description: Lambda functions should be deployed inside a Virtual Private Cloud (VPC) to meet the requirements of NIST 800-53 Revision 5.
Detailed Description:
Lambda functions are serverless compute resources offered by AWS. By default, Lambda functions are deployed outside VPCs. However, to adhere to the security requirements set by the NIST 800-53 Revision 5, it is necessary to configure Lambda functions to run within a VPC.
Why is this important?
NIST 800-53 Revision 5 provides guidelines and protocols for managing and securing federal information systems and organizations. By deploying Lambda functions within a VPC, the network traffic can be more effectively controlled and secured, helping to mitigate potential security risks.
Troubleshooting Steps:
1. Identify if Lambda function is within a VPC:
To check if a Lambda function is currently deployed within a VPC, follow these steps:
- 1.Go to the AWS Management Console.
- 2.Navigate to the Lambda service.
- 3.Select the specific function you want to check.
- 4.Under the "Configuration" tab, look for the "Network settings" section.
- 5.If the field "VPC" is empty or not configured, it means the Lambda function is not within a VPC.
2. Determine VPC Configuration:
To check the current VPC configuration and its associated settings, follow these steps:
- 1.Go to the AWS Management Console.
- 2.Navigate to the VPC service.
- 3.Under the "Your VPCs" section, locate the VPC that you want to use for your Lambda function.
- 4.Make note of the VPC ID and other related configuration details.
3. Modify Lambda Function Configuration:
To configure a Lambda function to be deployed within a VPC, follow these steps:
- 1.Go to the AWS Management Console.
- 2.Navigate to the Lambda service.
- 3.Select the specific Lambda function you want to configure.
- 4.Under the "Configuration" tab, scroll down to the "Network" section.
- 5.Click on the "Edit" button.
- 6.Select your desired VPC from the dropdown menu.
- 7.Choose one or more subnets within the chosen VPC.
- 8.Configure other network-related settings as required.
- 9.Click on the "Save" button to apply the changes.
Relevant Code Example:
Lambda function configuration code (in AWS CloudFormation template):
Resources:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: MyLambdaFunction
Handler: index.handler
Runtime: nodejs14.x
VpcConfig:
SecurityGroupIds:
- sg-0123456789abcdef0
SubnetIds:
- subnet-0123456789abcdef0
- subnet-0123456789abcdef1
In the above example, the Lambda function named "MyLambdaFunction" is associated with a VPC using specific security groups (e.g., "sg-0123456789abcdef0") and subnets (e.g., "subnet-0123456789abcdef0", "subnet-0123456789abcdef1").
Remediation Steps:
To remediate the non-compliant Lambda functions and ensure they are deployed within a VPC, follow these steps:
- 1.
Identify the Lambda functions that need to be remediated by following the Troubleshooting Steps mentioned earlier.
- 2.
Modify the Lambda function's configuration to add VPC settings using the AWS Management Console or AWS CLI with the appropriate code snippet mentioned earlier.
- 3.
Ensure the selected VPC has the necessary security groups and subnets configured to allow the Lambda function to function properly.
- 4.
If any specific IP-based permissions or network settings are required for the Lambda function, configure those accordingly.
- 5.
Test the remediated Lambda function thoroughly to ensure it functions properly within the VPC configuration.
By following these steps, you will ensure that Lambda functions comply with the requirement of being deployed within a VPC as specified by NIST 800-53 Revision 5.