Skip to main content

Lambda Function is Deployed Inside a VPC

Overview

This check verifies that your AWS Lambda functions are connected to a Virtual Private Cloud (VPC) rather than using Lambda's default public networking. When a Lambda function is inside a VPC, it can securely access private resources like databases and internal APIs while giving you control over network traffic.

Risk

Without VPC attachment, Lambda functions:

  • Lack network isolation - Traffic flows through public AWS infrastructure instead of your controlled network
  • Have unrestricted outbound access - Functions can reach any internet destination, increasing data exfiltration risk
  • Cannot access private resources - Functions cannot connect to resources in private subnets (like RDS databases or internal APIs)
  • Are vulnerable to SSRF attacks - Server-Side Request Forgery attacks have broader impact when outbound traffic is unrestricted

Severity: Low - This check has low severity because not all Lambda functions require VPC access. Functions that only interact with public AWS services may not need VPC configuration.

Remediation Steps

Prerequisites

  • Access to AWS Console with permissions to modify Lambda functions
  • A VPC with at least two private subnets in different Availability Zones
  • A security group that allows the traffic your function needs
Important: Lambda execution role permissions

Your Lambda function's execution role must have permissions to create network interfaces in the VPC. Attach the AWSLambdaVPCAccessExecutionRole managed policy or add these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface",
        "ec2:AssignPrivateIpAddresses",
        "ec2:UnassignPrivateIpAddresses"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

  1. Open the Lambda console at https://console.aws.amazon.com/lambda/
  2. Select your function from the list
  3. Click the Configuration tab
  4. Select VPC from the left menu
  5. Click Edit
  6. Under VPC, select your target VPC from the dropdown
  7. Under Subnets, select at least two subnets in different Availability Zones (choose private subnets for security)
  8. Under Security groups, select a security group that allows the traffic your function needs
  9. Click Save

Note: After saving, Lambda will provision network interfaces. This can take a minute or two. During this time, you can still invoke the function, but you cannot modify its configuration.

AWS CLI (optional)

Update an existing Lambda function to use VPC networking:

aws lambda update-function-configuration \
    --function-name my-function \
    --vpc-config SubnetIds=subnet-0123456789abcdef0,subnet-0987654321fedcba0,SecurityGroupIds=sg-0123456789abcdef0 \
    --region us-east-1

Replace:

  • my-function with your Lambda function name
  • subnet-0123456789abcdef0,subnet-0987654321fedcba0 with your subnet IDs (comma-separated, no spaces)
  • sg-0123456789abcdef0 with your security group ID

To verify the configuration:

aws lambda get-function-configuration \
    --function-name my-function \
    --query 'VpcConfig' \
    --region us-east-1
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Lambda function with VPC configuration

Parameters:
  FunctionName:
    Type: String
    Description: Name of the Lambda function
  SubnetId1:
    Type: AWS::EC2::Subnet::Id
    Description: First subnet ID for Lambda VPC config
  SubnetId2:
    Type: AWS::EC2::Subnet::Id
    Description: Second subnet ID for Lambda VPC config
  SecurityGroupId:
    Type: AWS::EC2::SecurityGroup::Id
    Description: Security group ID for Lambda VPC config
  LambdaRoleArn:
    Type: String
    Description: ARN of the Lambda execution role

Resources:
  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Ref FunctionName
      Runtime: python3.12
      Handler: index.handler
      Role: !Ref LambdaRoleArn
      Code:
        ZipFile: |
          def handler(event, context):
              return {'statusCode': 200, 'body': 'Hello'}
      VpcConfig:
        SubnetIds:
          - !Ref SubnetId1
          - !Ref SubnetId2
        SecurityGroupIds:
          - !Ref SecurityGroupId

Outputs:
  FunctionArn:
    Description: Lambda function ARN
    Value: !GetAtt LambdaFunction.Arn
Terraform (optional)
resource "aws_lambda_function" "example" {
  function_name = var.function_name
  role          = var.lambda_role_arn
  handler       = "index.handler"
  runtime       = "python3.12"
  filename      = "lambda.zip"

  vpc_config {
    subnet_ids         = var.subnet_ids
    security_group_ids = var.security_group_ids
  }
}

variable "function_name" {
  description = "Name of the Lambda function"
  type        = string
}

variable "subnet_ids" {
  description = "List of subnet IDs for VPC configuration"
  type        = list(string)
}

variable "security_group_ids" {
  description = "List of security group IDs for VPC configuration"
  type        = list(string)
}

variable "lambda_role_arn" {
  description = "ARN of the Lambda execution role"
  type        = string
}

Verification

After making changes, verify your Lambda function is connected to the VPC:

  1. In the Lambda console, go to your function's Configuration > VPC tab
  2. Confirm you see your VPC ID, subnet IDs, and security group IDs listed
  3. Test your function to ensure it can still reach the resources it needs
CLI verification
aws lambda get-function-configuration \
    --function-name my-function \
    --query '{VpcId: VpcConfig.VpcId, Subnets: VpcConfig.SubnetIds, SecurityGroups: VpcConfig.SecurityGroupIds}' \
    --region us-east-1

Expected output shows your VPC configuration:

{
    "VpcId": "vpc-0123456789abcdef0",
    "Subnets": [
        "subnet-0123456789abcdef0",
        "subnet-0987654321fedcba0"
    ],
    "SecurityGroups": [
        "sg-0123456789abcdef0"
    ]
}

Additional Resources

Notes

  • Internet access: Functions in a VPC lose direct internet access. To call external APIs or public AWS endpoints, you need either a NAT Gateway or VPC endpoints.
  • Cold start impact: VPC-connected functions may have slightly longer cold starts due to network interface provisioning, though AWS has significantly improved this.
  • Use VPC endpoints: For AWS services like S3, DynamoDB, and Secrets Manager, use VPC endpoints instead of NAT Gateways to reduce costs and improve security.
  • Subnet selection: Use private subnets for Lambda functions. Place subnets in multiple Availability Zones for high availability.
  • Security groups: Apply the principle of least privilege - only allow the specific outbound traffic your function needs.
  • Not always required: If your function only interacts with public AWS services (like S3 via public endpoints), VPC configuration may not be necessary. Evaluate your specific use case.