VPC endpoints
VPC endpoints enable private connections between your VPC and supported AWS services. By using VPC endpoints, you can ensure that traffic between your Lambda function and other services does not traverse the public internet, thereby enhancing security. This is particularly useful for accessing services such as S3 or DynamoDB, which your Lambda function may need to interact with frequently.
Additionally, VPC endpoints can sometimes eliminate the need for NAT gateways. If your Lambda function only needs to access AWS services that support VPC endpoints, you can configure these endpoints to allow the function to access the services directly without requiring a NAT gateway. This can simplify your architecture, reduce costs, and further tighten security by minimizing the number of components that can access the public internet.
Traffic filtering
Traffic filtering is an essential aspect of Lambda function security within a VPC. This is typically achieved through NACLs and security groups, but it can also be augmented with the usage of AWS Network Firewall. When properly configured, these tools can significantly enhance the security of your Lambda functions.
For outbound traffic, it is vital to be restrictive to prevent potential security risks. A compromised function could be used to exfiltrate data, download malicious content, or perform other unauthorized activities. Therefore, it is important to only allow outbound traffic to the necessary ports and nothing more. Whenever possible, whitelisting destination public IP addresses is recommended to further tighten security. Domain names can also be used when using the more advanced functionalities offered by AWS Network Firewall. This ensures that the function can only communicate with known, trusted services, reducing the risk of data leakage or other forms of compromise.
For inbound traffic, the focus should be on disallowing access to your Lambda functions via the network stack. Given that Lambda functions are event-driven, they generally do not require inbound network access. Therefore, it is a best practice to disable inbound network access altogether.
VPC flow logs
VPC flow logs captures information about the network traffic going to and from ENIs in your VPC. This data can be invaluable for monitoring and troubleshooting network behavior, as well as for conducting security audits and forensic analysis. Flow logs can be sent to CloudWatch logs or S3 buckets for storage and analysis. It is a good practice to enable VPC flow logs to have visibility into the traffic that is leaving and reaching your Lambda functions, as well as denied connection attempts that could be an indicator of malicious activity or misconfigurations. However, it is essential to balance security needs with cost considerations, as enabling flow logs can incur additional costs.