Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Lambda functions should be in a VPC

Ensure all Lambda functions are properly configured within a VPC for improved security and network access control.

RuleLambda functions should be in a VPC
FrameworkRBI Cyber Security Framework
Severity
Low

Rule Description

The rule states that all Lambda functions should be configured within a Virtual Private Cloud (VPC) as a measure to comply with the RBI (Reserve Bank of India) Cyber Security Framework. This is aimed at enhancing the security of Lambda functions by isolating them within a private network and providing controlled access to resources.

Troubleshooting Steps

If you encounter any issues while implementing this rule, you can follow these troubleshooting steps:

  1. 1.
    Error: Lambda function cannot access required resources: Verify that the Lambda function is assigned to a VPC that has appropriate routing and security group configurations for the required resource access.
  2. 2.
    Error: Lack of internet connectivity for Lambda function: Ensure that the VPC configuration includes appropriate NAT (Network Address Translation) settings to enable outbound internet connectivity for Lambda functions if needed.
  3. 3.
    Error: Execution timeout or cold start issue: If you experience extended execution times or frequent cold starts, check if the VPC configuration is causing latency or resource limitations for Lambda function invocation.

Necessary Codes

To implement this rule, you need to make use of the following codes:

CloudFormation

Resources:
  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      ...
      VpcConfig:
        SecurityGroupIds:
          - sg-xxxxxxxx
        SubnetIds:
          - subnet-xxxxxxxx

AWS CLI

aws lambda update-function-configuration --function-name MyLambdaFunction --vpc-config "SecurityGroupIds=['sg-xxxxxxxx'],SubnetIds=['subnet-xxxxxxxx']"

Step-by-Step Guide for Remediation

To ensure compliance with the RBI Cyber Security Framework, follow these steps to configure your Lambda function within a VPC:

  1. 1.

    Identify VPC and Subnets: Determine the VPC and subnet(s) within which you want to deploy your Lambda function. Ensure that these subnets have appropriate routing configurations and are connected to the necessary resources (such as databases or other services).

  2. 2.

    Identify Security Group: Identify the security group that should be associated with your Lambda function. This security group controls inbound and outbound traffic for the function.

  3. 3.

    CloudFormation:

    • If you are using CloudFormation, include the
      VpcConfig
      property under the
      Properties
      section of your Lambda function resource definition. Provide the appropriate
      SecurityGroupIds
      and
      SubnetIds
      values within this property.
    • Apply the CloudFormation template to update your Lambda function with the VPC configuration.
  4. 4.

    AWS CLI:

    • If you prefer using the AWS CLI, execute the following command to update the Lambda function's configuration:
      aws lambda update-function-configuration --function-name MyLambdaFunction --vpc-config "SecurityGroupIds=['YourSecurityGroupId'],SubnetIds=['YourSubnetId']"
      

    Replace

    MyLambdaFunction
    ,
    YourSecurityGroupId
    , and
    YourSubnetId
    with your actual function name, security group ID, and subnet ID respectively.

  5. 5.

    Verify Function Execution: After updating the Lambda function's configuration to use the VPC, redeploy it if necessary. Confirm that the function executes as expected, while now being within the defined VPC boundaries.

By following these steps, you can successfully configure your Lambda function within a VPC, ensuring compliance with the RBI Cyber Security Framework.

Is your System Free of Underlying Vulnerabilities?
Find Out Now