Ensure AWS Lambda function is configured inside a VPC

Error: AWS Lambda Function is not assigned to access within VPC

Bridgecrew Policy ID: BC_AWS_GENERAL_65
Checkov Check ID: CKV_AWS_117
Severity: LOW

AWS Lambda Function is not assigned to access within VPC

Description

By default, Lambda runs functions in a secure VPC with access to AWS services and the internet. Lambda owns this VPC, which isn't connected to the account's default VPC. Internet access from a private subnet requires Network Address Translation (NAT).

To give your function access to the internet, route outbound traffic to a NAT gateway in a public subnet.

Fix - Buildtime

Terraform

  • Resource: aws_lambda_function
  • Argument: vpc_config.subnet_ids
  • For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC. When you connect a function to a VPC, it can only access resources and the internet through that VPC.
    subnet_ids - List of subnet IDs associated with the Lambda function.
    Note: If both subnet_ids and security_group_ids are empty then vpc_config is considered to be empty or unset.
resource "aws_lambda_function" "test_lambda" {
  ...
  vpc_config {
    // Every subnet should be able to reach an EFS mount target in the same Availability Zone. 
    // Cross-AZ mounts are not permitted.
+   subnet_ids         = [aws_subnet.subnet_for_lambda.id]
    security_group_ids = [aws_security_group.sg_for_lambda.id]
  }
}