Ensure AWS Lambda function is configured for a DLQ

Error: AWS Lambda function is not configured for a DLQ

Bridgecrew Policy ID: BC_AWS_GENERAL_64
Checkov Check ID: CKV_AWS_116
Severity: LOW

AWS Lambda function is not configured for a DLQ

Description

Setting up a DLQ offers the possibility to investigate errors or failed requests to the connected Lambda function.

As an alternative it is possible to configure an on-failure destination target, which forwards a failed event to a DLQ, SNS Topic, Lambda function or EventBridge.

It is always important to understand why your application/function failed and to ensure that no data was dropped or compromised. Lambda functions are often used to process security related data like CloudTrail events and a failed delivery to a dependent system can result in an unnoticed security breach.

Fix - Buildtime

Terraform

  • Resource: aws_lambda_function
  • Argument: dead_letter_config
resource "aws_lambda_function" "test_lambda" {
  ...   
+ dead_letter_config {
+   target_arn = "test"
+ }
}

CloudFormation

  • Resource: AWS::Lambda::Function
  • Argument: Properties.DeadLetterConfig
Type: AWS::Lambda::Function
Properties:
  ...
+ DeadLetterConfig:
+   TargetArn: "test"

Did this page help you?