Lambda Functions are not deployed within a VPC Affecting Lambda service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Network/ Network

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00746
  • creditSnyk Research Team

Description

Deploying AWS Lambda functions outside of a Virtual Private Cloud (VPC) can expose them to network threats and unauthorized access, as they may be reachable from the public internet. Enforcing Lambda execution within a VPC provides an additional layer of network security and allows for finer-grained control over the function's networking environment, including security groups and network access control lists (ACLs).

How to fix?

Add the vpc_config block to the aws_lambda_function resource with valid subnet_ids and security_group_ids.

Example Configuration

data "archive_file" "allowed1_file" {
  type        = "zip"
  source_file = "/home/snyk/lambda.js"
  output_path = "lambda_function_payload.zip"
}

resource "aws_lambda_function" "allowed1_lambda" {
  filename      = "lambda_function_payload.zip"
  function_name = "lambda_function_allowed1"
  role          = "arn:aws:iam::824152625835:role/example746"
  handler       = "index.test"

  source_code_hash = data.archive_file.allowed1_file.output_base64sha256

  runtime = "nodejs18.x"

  vpc_config {
    subnet_ids         = ["subnet-01234567890abcdef"]
    security_group_ids = ["sg-1234567890abcdef0"]
  }
}