We have AWS accounts created and managed using control tower service.
The requirement is to restrict internet access from lambda even it is not attached to any VPC.
By default lambda functions can connect to internet if it is not connected to any VPC.
How do we enforce restricting internet access to users using lambda functions ?
Lambda is always in a VPC,just when you don't specify a VPC it's assigned to default one which has internet access configured.
Create a new VPC, by default it won't have internet access. And assign your functions to it.
We have addressed this requirement by creating a service control policy with below statements and attached to the OU.
It enforces the users to select a VPC, subnet and security group while creating/updating the lambda function. With this you can make sure the lambda functions are always under your VPC.
Ref: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-conditions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceVPCFunction",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Null": {
"lambda:VpcIds": "true"
}
}
}
]
}
Refer the above AWS documentation to find the policy statements to enable restriction at different levels like subnet, Security group and VPC.
Related
Question: If I add a VPC to the Lambda, does it loose access to AWS services like DynamoDB? ***
My Lambda needs to do a fetch two HTTPS services (technically one is wss). As I understand Lambdas, they can't get to anything, even AWS services unless given. The Lambda already was able to access DynamoDB tables, but I wanted to give it the REST services as well. I read somewhere that the Lambda can't really connect almost anywhere without associating it with a VPC. To do that, I added an inline policy as described at AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2
The Lambda has a custom role which has AWS Policies:
AmazonS3FullAccess
AmazonAPIGatewayInvokeFullAccess
AmazonDynamoDBFullAccess
AWSLambdaBasicExecutionRole
plus an inline policy (literally from the SO link above)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
}
]
}
As long as you configure the lambda to use a subnet in your VPC that has internet access then it will be able to reach DynamoDB just fine. I suggest you specify two subnets for high availability. If you use private subnets then you'll need to create NAT gateways so that they have internet access. Access to AWS services could get a bit more complex if you're using something like VPC endpoints, but if you're not using those in your VPC then it's not something you need to worry about.
Also, you really only need to use VPCs/Subnets with your lambda if it needs access to resources that reside within the VPC (such as an RDS cluster, or some API that is not publicly available). Otherwise, if you don't specify a vpc, your lambda will have internet access by default.
I'm trying to allow AWS Lambda residing in a private VPC to invoke another Lambda not in any VPC. I'm purposely avoiding use of NAT gateways in favor of Interface VPC Endpoints as they're a bit cheaper to use. However, I'm running into trouble configuring a custom policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "[~some stuff~]",
"Action": [
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": "arn:aws:lambda:[~region~]:[~taken out~]:function:Test-Invoked"
}
]
}
This was generated by the policy generator provided by AWS, which I copied and pasted. When I tried to create the endpoint, this got overwritten by the default All access. After I tried to change this once the endpoint was created, AWS takes me to an error page saying "Error: An unknown error occurred".
Would appreciate some help on this.
Your interface endpoint policy is invalid. Its missing Principal element for once.
But my advise would be to use default policy, and control access to the endpoint using security groups, and to control permissions to invoke the second lambda by means of IAM roles and/or lambda's resource-based permissions.
I have two VPC in my account. One for Test and other for Prod environment.
I am trying to setup IAM user accounts for developers, with permission boundaries, so that developers only has access to create/modify resources in Test VPC.
How do I do that? Can you share a sample policy JSON?
An Amazon VPC is a virtual network.
It is not possible to control access to a network based on "users" because the network has no knowledge of users. It can only control traffic by IP address and protocol.
If you want developers to be able to login to instances in Test environment, but not a Prod environment, you would either need to control access on the instances themselves (eg when they login to an EC2 instance), or control access to the network (eg by controlling access to a VPN connection or having developers access resources on a network with a known IP address range).
This is exactly the same as controlling access on a corporate network — developers could be placed on a network that has access to Test resources, while Sys Admins could be placed on a network that has access to Prod resources. This has to do with how their computer is connected to the network, rather than "who" they are.
If, instead, your goal is to restrict the Dev's ability to create/change resources in a VPC, then this can be done by adding conditions a IAM policies. For example, granting them the ability to launch an EC2 instance but only in the Test VPC.
See: How to Help Lock Down a User’s Amazon EC2 Capabilities to a Single VPC | AWS Security Blog
What I get is you are trying to restrict users to the services which are under a particular VPC. I did the same thing for allowing users to update Lambda functions which are inside a particular VPC only. This can be done like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllResources",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Sid": "DenyLambdaUpdatIfNotInsideVPC",
"Effect": "Deny",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"lambda:VpcIds": "your vpc id"
}
}
}
]
}
In this way you can restrict users from accessing the resources which are outside your VPC by writing services and their specific actions in the deny statement.
I've setup the following Resource Policy in my AWS API Gateway to whitelist an IP range:
The policy is working properly, however now I have to apply the same policy to some Gateways (not all of them) within the same account and potentially in the future I will need to include more IPs in that list; So I will need to modify the resource policy in the Gateways one by one..
In order to fix that, I want to setup a policy in IAM and apply that policy to some gateways. I've created the following policy in IAM:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "35.192.0.0/12"
}
}
}
]
}
However I cannot find the way to attach it to the Gateways.
I've tried to setup a role, but the API Gateway service does not allow me to attach that policy.
Is there anyway to create a IP whitelist policy and attach them to some gateways at once? Basically I'm looking for a way to modify the IP whitelist in one place and apply it dynamically to some of my gateways.
Thanks,
The policy for API Gateway is a resource policy, the IAM policy can only be attached to users, groups and roles.
You will need to apply this to each API Gateways resource policy, if you want to reuse try looking at IaC.
I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.
I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.
Here's my IAM for SES:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-******"
},
"ForAnyValue:StringLike": {
"ses:Recipients": "*#mycompany.com"
}
}
}
]
}
But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.
Is there any other way to specify a certain VPC?
This is an interesting challenge!
The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.
I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.
However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.
If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.
You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.
See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management