We have an app consisting of AWS Lambda (and API Gateway) and the Lambda uses credentials stored in AWS Secrets Manager.
Do we need a VPC in this scenario? Or is the communication between the Lambda and Secrets Manager secure since they are on AWS network (and presumably not exposed to the internet)?
AWS PrivateLink can be used to talk to Secrets Manager if the Lambda is in a VPC. But if the Lambda is not in a VPC already, then is this setup considered insecure?
Thanks!
Yes, it's possible. No, it's not insecure. No, it doesn't need VPC (unless the Lambda function itself needs VPC because the Lambda function needs access to private resources e.g. a database server).
If the Lambda function is not configured to connect to your VPC then it will have outbound internet access and can reach the AWS Secrets Manager endpoints over the public internet. That communication is encrypted over TLS/HTTPS.
Related
I'm working on an serverless application the works with a database in RDS. For security reasons, both the application (Lambda) and the database are located in a private subnet in a VPC.
I also want to access AWS services from the application - for example, I would like to access secret manager to obtain database credentials, put an rule in EventBridge and use STS service.
I know that I can use VPC endpoints and deploy interface endpoint in my VPC for each service of interest.
My question is as follows - the sole reason that the application is in the private subnet is database access. Why shouldn't I just create another lambda, that is not my VPC and can access these services easily and for free and just invoke it from my main application?
What are the security risks? What am I missing?
Thanks
If I understand correctly, you would want to create another Lambda which runs outside of the VPC and be invoked by the Lambda which is inside the VPC.
Well you can certainly do that, but this also would require to have either a NAT gateway to have access to the outside Lambda or a VPC endpoint for the Lambda control-plane. Moreover, you will double pay for each separate Lambda invocations, and you also would want to keep an eye on the running time of the Lambdas.
can access these services easily and for free
Nothing is really free in AWS. You will have to pay for the ENI used by the VPC endpoint or for the NAT gateway. And also for the Lambda invocations.
What are the security risks?
Security-wise, you are not really missing anything.
I have a ECS fargate container running inside a private VPC which doesn't have internet access. It needs to invoke a lambda via AWS SDK. Based on my understanding, AWS creates a default public endpoint for the lambda and when I call invokeLambda method the traffic will always go to internet. If my understanding is right, that means my Fargate container won't be able to call the lambda. Is it right?
If it is right, what is the alternative solution is? The goal is that the traffic won't go to internet in any chance.
Can I create a private link endpoint for my lambda?
Or create a API gateway with VPC endpoint which connects to lambda?
If my understanding is right, that means my Fargate container won't be able to call the lambda. Is it right?
Yes. Without NAT gateway or instance, you won't be able to directly invoke the lambda function from private subnet.
Can I create a private link endpoint for my lambda?
Sadly no. There are not VPC interface endpoints for lambda.
Or create a API gateway with VPC endpoint which connects to lambda?
Yes, this should be possible by creating private API gateway. The private API would be only accessible from within your VPC. But API gateway to lambda will still probably go over the internet.
The Security Overview of AWS Lambda whitepaper writes:
Invocations from Amazon Kinesis and DynamoDB streams, SQS queues, Application Load Balancer,and API Gateway follow the request-response path
For request-response invocations, the payload passes from the API caller—such as AWS API Gateway or the AWS SDK—to a load balancer, and then to the Lambda invoke service. This service identifies an execution environment for the function, and passes the payload to that execution environment to complete the invocation. Traffic to the load balancer passes over the internet, and is secured with TLS.
I deployed a lambda to AWS and created an api gateway to access it. I don't want the API gateway to be public because the lambda is only called from one of my ec2 instance. What is the best way to configure it to secure this API? My ec2 instance needs public IP address since I have DNS configure route pointing to it.
Since you are only using the AWS Lambda function from a single Amazon EC2 instance, there is no need to use API Gateway. (API Gateway is normally used to expose an API to a large number of users.)
You can instead invoke an AWS Lambda function directly:
You can use the AWS Command-Line Interface (CLI) by calling aws lambda invoke
You can also use an AWS SDK from a programming language such as Python, Java and Node.js
I would recommend using Private API in Amazon API Gateway,
This will secure your API Gateway and make it accessible only to the resources within your VPC.
It can be further secured using the Security group and Resource Policy for a Private API.
You will need to create an Endpoint to use a Private API Gateway though.
Detailed setup -
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
I have a lambda in a vpc in an aws account and I have another lambda in a vpc in another aws account. How to make them be able to communicate with each other ?
You can use the appropriate AWS SDK to invoke a Lambda (even if it is in a VPC). The Lambda making the call though, will need internet access (NAT Gateway).
The better way to do it (IMO) would be to link them via SNS. So here are some relevant links:
Using Amazon SNS for System-to-System Messaging with an AWS Lambda Function as a Subscriber
Invoke Lambda using SNS from Outside Account
You can do VPC peering from one AWS account to another AWS account, setup ACL's and have the Lambda's communicate across the AWS accounts.
You can peer the vpcs (keep in mind IP address ranges cannot overlap if you do this) or expose the lambdas using api gateway and get them to invoke each other using http requests.
I have a lambda function which runs every 15 minutes and saves some data in DynamoDB.
Now I want to secure the DynamoDB call made by my lambda so that the request does not go via the Internet, rather through Amazon internal network. There is no EC2 instance involved here though.
I have seen a few recommendations for using PrivateLink which binds the Dynamo to VPC endpoints so that calls made from EC2 instances always go via internal network bypassing Internet.
I was wondering such a configuration is possible for lamda calling DynamoDB since lamda itself does not run in any EC2 instance and is rather serverless?
The first thing I would say is that all of your traffic between Lambda and DynamoDB is signed and encrypted, so that's typically sufficient.
There are use cases, most typically compliance reasons, when this is not sufficient. In that case you can deploy the Lambda function into a VPC of your making and configure the VPC with a private VPC endpoint for DynamoDB. Typically, the VPC would be configured without an internet gateway or NAT so that it has no egress route to the public internet. Be aware that your Lambda function startup latency will be higher than usual, because each Lambda function environment needs to attach an ENI for access to the private endpoint.
See Configuring a Lambda Function to Access Resources in an Amazon VPC.
If you don't need to access resources in a VPC, AWS recommends not to run AWS Lambda functions in a VPC. From AWS Lambda Best Practices:
Don't put your Lambda function in a VPC unless you have to. There is no benefit outside of using this to access resources you cannot expose publicly, like a private Amazon Relational Database instance. Services like Amazon Elasticsearch Service can be secured over IAM with access policies, so exposing the endpoint publicly is safe and wouldn't require you to run your function in the VPC to secure it.
Running Lambda functions in VPC adds additionally complexity, which can negatively effect scalability and performance. Each Lambda function in a VPC needs an Elastic Network Interface (ENI). Provisioning ENI's is slow and the amount of ENI's you can have is limited, so when you scale up you can run into a shortage of ENI's, preventing your Lambda functions to scale up further.
This is one way to do it.
Step 1) Deploy your lambda inside VPC.
Step 2) Create VPC Endpoint to the DynamoDB.
This should help: https://aws.amazon.com/blogs/aws/new-vpc-endpoints-for-dynamodb/