mandeep_m91 February 2016

How to edit AWS EC2 instance's security groups to allow access to a lambda function only

I am running into a security related issue with AWS lambda and not sure what is the right way to resolve this.

Consider an EC2 instance A accessing the database on another EC2 instance B. If I want to restrict the accessibility of the DB on instance B to instance A only, I would modify the security group and add a custom TCP rule to allow access to only the public IP of instance A. So, this way, AWS will take care of everything and the DB server will not be accessible from any other IP address.

Now let us replace instance A by a lambda function. Since it is no longer an instance, there is no definite IP address. So, how do I restrict access to only the lambda function and block any other traffic ?

Answers


Paul Dunlop February 2016

I believe the below link will explain lambda permission model for you.

http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html


Rodrigo M February 2016

Have the Lambda job determine its IP, and dynamically update the instance B security group, then reset the security group when done.

Until there is support for Lambda running within a VPC this is the only option. Support for that has been announced for later this year. The following quote is from the referenced link above.

Many AWS customers host microservices within a Amazon Virtual Private Cloud and would like to be able to access them from their Lambda functions. Perhaps they run a MongoDB cluster with lookup data, or want to use Amazon ElastiCache as a stateful store for Lambda functions, but don’t want to expose these resources to the Internet.

You will soon be able to access resources of this type by setting up one or more security groups within the target VPC, configure them to accept inbound traffic from Lambda, and attach them to the target VPC subnets. Then you will need to specify the VPC, the subnets, and the security groups when your create your Lambda function (you can also add them to an existing function). You’ll also need to give your function permission (via its IAM role) to access a couple of EC2 functions related to Elastic Networking.

This feature will be available later this year. I’ll have more info (and a walk-through) when we launch it.

Post Status

Asked in February 2016
Viewed 3,267 times
Voted 7
Answered 2 times

Search




Leave an answer