CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00746
- creditSnyk Research Team
Description
Deploying AWS Lambda functions outside of a Virtual Private Cloud (VPC) can expose them to network threats and unauthorized access, as they may be reachable from the public internet. Enforcing Lambda execution within a VPC provides an additional layer of network security and allows for finer-grained control over the function's networking environment, including security groups and network access control lists (ACLs).
How to fix?
Add the vpc_config block to the aws_lambda_function resource with valid subnet_ids and security_group_ids.
Example configuration:
data "archive_file" "allowed1_file" {
type = "zip"
source_file = "/home/snyk/lambda.js"
output_path = "lambda_function_payload.zip"
}
resource "aws_lambda_function" "allowed1_lambda" {
filename = "lambda_function_payload.zip"
function_name = "lambda_function_allowed1"
role = "arn:aws:iam::824152625835:role/example746"
handler = "index.test"
source_code_hash = data.archive_file.allowed1_file.output_base64sha256
runtime = "nodejs18.x"
vpc_config {
subnet_ids = ["subnet-01234567890abcdef"]
security_group_ids = ["sg-1234567890abcdef0"]
}
}