AWS Lambda Function is not assigned to access within VPC
Description
By default, Lambda runs functions in a secure VPC with access to AWS services and the internet. Lambda owns this VPC, which isn't connected to the account's default VPC. Internet access from a private subnet requires Network Address Translation (NAT). To give your function access to the internet, route outbound traffic to a NAT gateway in a public subnet.
Code Example
resource "aws_lambda_function" "test_lambda" {
...
vpc_config {
// Every subnet should be able to reach an EFS mount target in the same Availability Zone.
// Cross-AZ mounts are not permitted.
+ subnet_ids = [aws_subnet.subnet_for_lambda.id]
security_group_ids = [aws_security_group.sg_for_lambda.id]
}
}Remediation
Terraform
- Resource: aws_lambda_function
- Arguments: vpc_config.subnet_ids
For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC. When you connect a function to a VPC, it can only access resources and the internet through that VPC. `subnet_ids` - List of subnet IDs associated with the Lambda function.
NOTE: If both subnet_ids and security_group_ids are empty then vpc_config is considered to be empty or unset.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0170 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | Terraform, TerraformPlan, CloudFormation |
| Checkov ID | CKV_AWS_117 |