Lambda Function Missing Valid VPC

Overview

Usually, Lambda functions are configured to connect to private subnets in AWS VPCs in order to use resources hosted there. A Lambda function that does not connect to any VPC could indicate an "orphaned" Lambda function that should be reviewed for potential removal. It could also indicate that the function's configuration is in error due to changes in the target VPC.

Depending on the cause of the missing VPC configuration and the intended functional flow, this condition could cause inaccurate resource inventory, or functional failure.

When you connect a function to a VPC, Lambda creates an elastic network interface for each subnet in your function's VPC configuration.

Remediation details:

Consider the original purpose for the Lambda function, and ensure that it is configured to connect to the VPC that holds the resources that it needs. Once you determine what resources and connectivity the function requires, you can use the AWS Console or the Lambda API to connect it to the needed VPC subnets. To connect to a VPC, your function's execution role must have the below permissions. These permissions are included in the AWS managed policy AWSLambdaVPCAccessExecutionRole.

Execution role permissions
ec2:CreateNetworkInterface
ec2:DescribeNetworkInterfaces
ec2:DeleteNetworkInterface

To configure a function to connect to a VPC, your AWS Identity and Access Management (IAM) user needs the below permissions.

User permissions
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs

Vendor

AWS

Cloud Service

Lambda

PCI DSS 1.2.1, PCI DSS 1.3.1, PCI DSS 1.3.2, PCI DSS 1.3.4

Lambda.3

References

https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html, https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lambda.html

Severity

Item Types

AWS::Lambda::Function

Overview​

Vendor​

Cloud Service​

Related Requirements​

Related Controls​

References​

Severity​

Item Types​