Lambda Functions are not deployed within a VPC Affecting Lambda service in AWS

Snyk CCSS

Network / Network

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00746
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Deploying AWS Lambda functions outside of a Virtual Private Cloud (VPC) can expose them to network threats and unauthorized access, as they may be reachable from the public internet. Enforcing Lambda execution within a VPC provides an additional layer of network security and allows for finer-grained control over the function's networking environment, including security groups and network access control lists (ACLs).

How to fix?

Add the vpc_config block to the aws_lambda_function resource with valid subnet_ids and security_group_ids.

Example Configuration

data "archive_file" "allowed1_file" {
  type        = "zip"
  source_file = "/home/snyk/lambda.js"
  output_path = "lambda_function_payload.zip"
}

resource "aws_lambda_function" "allowed1_lambda" {
  filename      = "lambda_function_payload.zip"
  function_name = "lambda_function_allowed1"
  role          = "arn:aws:iam::824152625835:role/example746"
  handler       = "index.test"

  source_code_hash = data.archive_file.allowed1_file.output_base64sha256

  runtime = "nodejs18.x"

  vpc_config {
    subnet_ids         = ["subnet-01234567890abcdef"]
    security_group_ids = ["sg-1234567890abcdef0"]
  }
}

Lambda Functions are not deployed within a VPC Affecting Lambda service in AWS

Severity

Description

How to fix?

Example Configuration

Terraform

References