I have a database running on an EC2 instance in a public subnet.
I would like to protect the EC2 instance so it can only be accessed from the lambdas.
I do not want to attach the lambda through an ENI as it is not a scalable solution, due to the ENI that must be created to allow the lambda access to the VPC.
I had in mind to use a NACL and to only allow inbound traffic from the ip range of the AWS lambda service, but I do not know how often AWS could update its IP ranges.
Please any suggestions regarding security issues will be welcomed
Whitelisting AWS Lambda IP range won't work since we don't have any control over the IP range when Lambda is outside the VPC.
If you are keeping the EC2 in a public subnet there is hardly any approach available to restrict to requests only for Lambda unless you put the Lambda function inside the VPC.
If you can use AWS RDS for the database it is now possible to restrict access via IAM (AWS recently introduced this).
Related
I have an RDS in one AWS Account - say Acct-1.
The RDS is public (i know it's not a good idea and there are other solutions for that)
I have a lambda in another AWS Account - say Acct-2 which runs in a VPC.
I have setup VPC peering between the 2 accounts, the route table entries are in place as well as the security groups IN/OUT bound policies in place.
In Acct-2 I can verify that I can connect to the RDS instance in Acct-1 using a mysql cient from an EC2 instance. The EC2 instance is in the same subnet as the Lambda and they both have the same security group.
But the Lambda gets a timeout connection. The Lambda has the typical Lambda execution role that Allows logs, and network interfaces.
Thoughts on what could be missing ? Does the RDS need to grant specific access to the Lambda service even if it's running in a VPC ?
Clarification: There is no route to the RDS instance from the internet. Clearly, the ec2 host is able to resolve the Private IP for the RDS instance from the DNS name and connect.
Lambda is unable to resolve the private IP for the RDS instance.
I'm trying to keep the traffic within AWS so as to not pay egress costs.
I'm working on an serverless application the works with a database in RDS. For security reasons, both the application (Lambda) and the database are located in a private subnet in a VPC.
I also want to access AWS services from the application - for example, I would like to access secret manager to obtain database credentials, put an rule in EventBridge and use STS service.
I know that I can use VPC endpoints and deploy interface endpoint in my VPC for each service of interest.
My question is as follows - the sole reason that the application is in the private subnet is database access. Why shouldn't I just create another lambda, that is not my VPC and can access these services easily and for free and just invoke it from my main application?
What are the security risks? What am I missing?
Thanks
If I understand correctly, you would want to create another Lambda which runs outside of the VPC and be invoked by the Lambda which is inside the VPC.
Well you can certainly do that, but this also would require to have either a NAT gateway to have access to the outside Lambda or a VPC endpoint for the Lambda control-plane. Moreover, you will double pay for each separate Lambda invocations, and you also would want to keep an eye on the running time of the Lambdas.
can access these services easily and for free
Nothing is really free in AWS. You will have to pay for the ENI used by the VPC endpoint or for the NAT gateway. And also for the Lambda invocations.
What are the security risks?
Security-wise, you are not really missing anything.
We have multiple AWS accounts for various departments. I want to give a Lambda function in one account access to an RDS instance in another.
If the Lambda function is not assigned to a VPC and the RDS is publicly accessible is there a way to limit the access to the RDS to only the Lambda function?
Is there a way to do this if the RDS instance is private and the Lambda function is not assigned to a VPC?
As best practice you should always keep your db in private subnet WITHOUT public ip and access. And then in your case assume all your AWS accounts are in a single organisation, you can share the subnets that the RDS located in account A to account B by https://aws.amazon.com/premiumsupport/knowledge-center/vpc-share-subnet-with-another-account/
Then in account B you config the Lambda to sit in the shared subnets from A, and set security group of Lambda functions, and in RDS instance security group you only allow connection from Lambda's security group, then all set.
May I know why you don't want to put Lambda into VPC? If you have concerns on Lambda cold start performance issue in VPC, notice that AWS already solve that in late 2019: https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/
Public Amazon RDS database
If the Lambda function is not assigned to a VPC, then it is connected to the Internet. It can then connect to a publicly-available RDS database. However, there is no way to predict the IP address that will be used by the Lambda function.
Private Amazon RDS database
If the RDS database is only available within a VPC, then the Lambda function needs to be somehow connected to the VPC. Since the Lambda function is in a different AWS Account, you might be able to try:
VPC Peering to make the RDS database in one account accessible to the Lambda function in a different account
Shared VPCs: "In a shared VPC, each participant pays for their application resources including Amazon EC2 instances, Amazon Relational Database Service databases, Amazon Redshift clusters, and AWS Lambda functions."
The Shared VPC looks like it might be a great option for you, since (it seems) the AWS Lambda function from Account A could be placed into the same VPC as an Amazon RDS database from Account B.
See also: VPC sharing: A new approach to multiple accounts and VPC management | Networking & Content Delivery
Let us know if it worked for you!
I have a lambda function which runs every 15 minutes and saves some data in DynamoDB.
Now I want to secure the DynamoDB call made by my lambda so that the request does not go via the Internet, rather through Amazon internal network. There is no EC2 instance involved here though.
I have seen a few recommendations for using PrivateLink which binds the Dynamo to VPC endpoints so that calls made from EC2 instances always go via internal network bypassing Internet.
I was wondering such a configuration is possible for lamda calling DynamoDB since lamda itself does not run in any EC2 instance and is rather serverless?
The first thing I would say is that all of your traffic between Lambda and DynamoDB is signed and encrypted, so that's typically sufficient.
There are use cases, most typically compliance reasons, when this is not sufficient. In that case you can deploy the Lambda function into a VPC of your making and configure the VPC with a private VPC endpoint for DynamoDB. Typically, the VPC would be configured without an internet gateway or NAT so that it has no egress route to the public internet. Be aware that your Lambda function startup latency will be higher than usual, because each Lambda function environment needs to attach an ENI for access to the private endpoint.
See Configuring a Lambda Function to Access Resources in an Amazon VPC.
If you don't need to access resources in a VPC, AWS recommends not to run AWS Lambda functions in a VPC. From AWS Lambda Best Practices:
Don't put your Lambda function in a VPC unless you have to. There is no benefit outside of using this to access resources you cannot expose publicly, like a private Amazon Relational Database instance. Services like Amazon Elasticsearch Service can be secured over IAM with access policies, so exposing the endpoint publicly is safe and wouldn't require you to run your function in the VPC to secure it.
Running Lambda functions in VPC adds additionally complexity, which can negatively effect scalability and performance. Each Lambda function in a VPC needs an Elastic Network Interface (ENI). Provisioning ENI's is slow and the amount of ENI's you can have is limited, so when you scale up you can run into a shortage of ENI's, preventing your Lambda functions to scale up further.
This is one way to do it.
Step 1) Deploy your lambda inside VPC.
Step 2) Create VPC Endpoint to the DynamoDB.
This should help: https://aws.amazon.com/blogs/aws/new-vpc-endpoints-for-dynamodb/
I need to connect dynamoDb and elasticache from aws-lambda (otherthan using NAT Gateway).
ElastiCache provides essential caching methods along with help in making the Lambda state-ful. The concern is that for Lambda to work nice with DynamoDB it should be set to NoVPC.
If we have to use ElastiCache, Lambda and both have to be in the same VPC.TO use Both ElastiCache and DynamoDB together is quite a challenge specially with Lambda. Given the VPC challenges.Do you have any suggestions to make this easier?
A Lambda function would have to have VPC access to connect to ElastiCache, and it would have to have access to resources outside the VPC to access DynamoDB so it would require a NAT gateway. There is no way to provide access to both of those services to a single Lambda function without enabling VPC access and setting up a NAT gateway.
If you just need a Redis server and aren't required specifically to use ElasiCache, then you could use a RedisLabs instance which wouldn't require you to enable VPC access on your Lambda function.
There is now a relatively easy solution for DynamoDb access from a VPC: VPC Endpoints.
"Previously, if you wanted your EC2 (elroy: or lambda) instances in your VPC to be able to access DynamoDB, you had two options. You could use an Internet Gateway (with a NAT Gateway or assigning your instances public IPs) or you could route all of your traffic to your local infrastructure via VPN or AWS Direct Connect and then back to DynamoDB."
"A VPC endpoint for DynamoDB enables Amazon EC2 instances in your VPC to use their private IP addresses to access DynamoDB with no exposure to the public Internet...Your EC2 instances do not require public IP addresses, and you do not need an Internet gateway, a NAT device, or a virtual private gateway in your VPC. You use endpoint policies to control access to DynamoDB. Traffic between your VPC and the AWS service does not leave the Amazon network. "
The above quotes come from the links below. Note the the references to "EC2 instances" apply to lambda contexts as well.
See https://aws.amazon.com/blogs/aws/new-vpc-endpoints-for-dynamodb/
and
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html