I am trying to access my EC2 instance configured with elasticsearch from a configured lambda function.
I've added the lambda function to the same VPC and security group as the EC2 instance. I am not sure; what's causing the issue ?
I've EC2FullAccess permissions from lambda function
The correct security configuration should be:
A security group on the Lambda function (Lambda-SG). It does not require any Inbound rules. Leave the Outbound rules as standard 'allow all'.
A security group on the EC2 instance (Elasticsearch-SG) that allows Inbound connections on the desired port (9200?) from the Lambda-SG.
That is, Elasticsearch-SG specifically allows inbound connections from Lambda-SG.
Please note that security group rules apply to each instance individually. Putting two resources 'in' the same security group does not permit access between those resources unless there is a rule that allows inbound access from itself. Thus, it is better to put different security groups on each layer of resources.
There is no need to assign EC2FullAccess permissions to the Lambda function. That is only used to call AWS to do things like launching or terminating EC2 instances.
Related
I thought I had an understanding of AWS security groups, but this doesn't make any sense.
I have a Lambda Function that is inside of my VPC.
It is assigned a security group (TestLambdaSG).
TestLambdaSG has inbound HTTP/HTTPS rules from IP 1.2.3.4/32
I can connect to my Lambda Function from my IP. Why?
AWS says that security groups are restrictive by default, so I shouldn't be able to connect. My Lambda function is an API that I created a test route that returns a "Success" message.
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-security-groups.html
The security group assigned to lambda only used to validate outgoing traffic , it is impossible to access the lambda directly through the socket connection. Therefore I dont think lambda security group's inbound rules are any useful.
But other services such as API gateway can invoke a lambda. An API gateway is publicly available by default when it is deployed.
That's why it's accessible from postman for you.
hello I want to call a api which is hoisted in Apache server on AWS EC2 server from my lambda function.
I have configured VPC for my lambda function according to my EC2 server instance with same security groups and same zone ,but still no luck.
Thanks in advance.
It appears that your situation is:
You want to make an HTTP/S API call from an AWS Lambda function to an Amazon EC2 instance
The Lambda function has been configured to connect to the same VPC as the EC2 instance
The Lambda function is reporting that it is unable to connect to the EC2 instance
I would recommend:
Create a Security Group (let's call it Lambda-SG) in the same VPC. It does not need any rules.
Configured the Lambda function to use the Security Group (in the Network section)
Create another Security Group (let's call it EC2-SG) and associate it with the EC2 instance. Add a rule that permits inbound access on the desired port, with the source set to ID of Lambda-SG.
That is the EC2-SG is saying that it will accept inbound connects from Lambda-SG on the desired port.
Merely putting resources in the same security group does not necessarily mean they can communicate. There needs to be a specific rule that permits the inbound access. The above method is the best way to do so.
How can I access an Elasticsearch Service instance from a Lambda function without applying an IAM role?
You will want to configure two Security Groups:
Configure the Lambda function to use the VPC.
Create a Lambda Security Group (Lambda-SG) and configure the Lambda function to use it.
Create an ElasticSearch Security Group (ES-SG) and configure ElasticSearch to use it.
In ES-SG, add a rule to permit inbound connections from Lambda-SG on port 9300 (or whatever port your ES is using).
That is, ES-SG should refer to Lambda-SG to permit inbound connections.
You need to provide an IAM role for a lambda function and provide the IAM role access to ES.
If your Lambda runs within a VPC, you can configure the ElasticSearch access policy to an IP-based policy.
AWS does provide samples for various kinds of access policies.
IP based access policy
so I limited my inbound and outbound in my security group policy to my ip only, however, I find that I can access it from any other IP address. does the ec2 instance need to be restarted in order to reflect the new security group policy?
No instance need not be restarted for applying security policy.
You need to check if there are multiple security-group's attached to instance.
I am running into a security related issue with AWS lambda and not sure what is the right way to resolve this.
Consider an EC2 instance A accessing the database on another EC2 instance B. If I want to restrict the accessibility of the DB on instance B to instance A only, I would modify the security group and add a custom TCP rule to allow access to only the public IP of instance A. So, this way, AWS will take care of everything and the DB server will not be accessible from any other IP address.
Now let us replace instance A by a lambda function. Since it is no longer an instance, there is no definite IP address. So, how do I restrict access to only the lambda function and block any other traffic ?
Have the Lambda job determine its IP, and dynamically update the instance B security group, then reset the security group when done.
Until there is support for Lambda running within a VPC this is the only option. Support for that has been announced for later this year. The following quote is from the referenced link above.
Many AWS customers host microservices within a Amazon Virtual Private
Cloud and would like to be able to access them from their Lambda
functions. Perhaps they run a MongoDB cluster with lookup data, or
want to use Amazon ElastiCache as a stateful store for Lambda
functions, but don’t want to expose these resources to the Internet.
You will soon be able to access resources of this type by setting up
one or more security groups within the target VPC, configure them to
accept inbound traffic from Lambda, and attach them to the target VPC
subnets. Then you will need to specify the VPC, the subnets, and the
security groups when your create your Lambda function (you can also
add them to an existing function). You’ll also need to give your
function permission (via its IAM role) to access a couple of EC2
functions related to Elastic Networking.
This feature will be available later this year. I’ll have more info
(and a walk-through) when we launch it.
I believe the below link will explain lambda permission model for you.
http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html