AWS-Lambda-Lambda-VPC-Config

Severity: High

Description: This control ensures that Lambda Function is in a custom VPC which is not open to public and Internet access is blocked.  AWS resources can be used inside a VPC for more control over the network between the resource. The security group acts instance level firewall for the resources in the VPC and should be configured to allow only required access, blocking public access.

Remediation Steps:

Perform following to update/remove VPC and access rule from lambda function:

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Step 1: Remove Security group rules granting public access

    1. Navigate to VPC console.

    2. In the navigation pane, select Security Groups.

    3. Click on the Security Group to be modified.

    4. Under Inbound Rules, click Edit button.

    5. Delete any rule allowing access for source as "0.0.0.0/0" or "::/0".

    6. Click Save changes to apply.

  3. Step 2: Remove routes from Route table for an Internet Gateway

    1. Navigate to VPC console.

    2. In the navigation pane, select Route Tables.

    3. Click on the Route Tables to be modified.

    4. Under Route, click Edit Routes button.

    5. Remove any entry with target as an Internet Gateway, usually prefixed with “igw-”.

    6. Click Save changes to apply.

  4. Step 3: Update VPC for Lambda function

    1. Navigate to AWS Lambda console.

    2. In the navigation pane, select Functions.

    3. Click on the Function to be modified.

    4. Select the Configuration and navigate to VPC.

    5. Select vpc from the drop down list, Subnets from subnet list and security group from list of security groups.

    6. Click Save to apply..

Important:

Reference:

Blue Hexagon Proprietary