Why is my AWS Security group allowing traffic? - aws-lambda

I thought I had an understanding of AWS security groups, but this doesn't make any sense.
I have a Lambda Function that is inside of my VPC.
It is assigned a security group (TestLambdaSG).
TestLambdaSG has inbound HTTP/HTTPS rules from IP 1.2.3.4/32
I can connect to my Lambda Function from my IP. Why?
AWS says that security groups are restrictive by default, so I shouldn't be able to connect. My Lambda function is an API that I created a test route that returns a "Success" message.
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-security-groups.html

The security group assigned to lambda only used to validate outgoing traffic , it is impossible to access the lambda directly through the socket connection. Therefore I dont think lambda security group's inbound rules are any useful.
But other services such as API gateway can invoke a lambda. An API gateway is publicly available by default when it is deployed.
That's why it's accessible from postman for you.

Related

Connect timeout from AWS lambda to AWS codepipeline

I am trying to trigger code pipeline from lambda using below link got the lambda python code as well.
https://aws.amazon.com/blogs/devops/adding-custom-logic-to-aws-codepipeline-with-aws-lambda-and-amazon-cloudwatch-events/
But somehow while running i am getting exception as
Connect timeout on endpoint URL "https://codepipeline.ap-southeast-2.amazonaws.com/"
I have opened all traffic using security group attached to lambda.
Please suggest what else to check here.
Thanks
Sharad
You are running your Lambda function in a VPC (as evidenced by the fact that you said it has a security group attached). A Lambda function in a VPC cannot access anything outside the VPC without a route to a NAT Gateway. A Lambda function in a VPC never gets a public IP assigned to it, so it can never use a VPC Internet Gateway directly. Thus to access anything outside your VPC, such as the AWS API to trigger a CodePipeline run, the Lambda function needs to be deployed only in subnets of your VPC that have a route to a NAT Gateway.
The alternative would be to add a VPC Endpoint for the specific AWS Service you want to access.

Lambda function access to EC2 instance in same security group

I am trying to access my EC2 instance configured with elasticsearch from a configured lambda function.
I've added the lambda function to the same VPC and security group as the EC2 instance. I am not sure; what's causing the issue ?
I've EC2FullAccess permissions from lambda function
The correct security configuration should be:
A security group on the Lambda function (Lambda-SG). It does not require any Inbound rules. Leave the Outbound rules as standard 'allow all'.
A security group on the EC2 instance (Elasticsearch-SG) that allows Inbound connections on the desired port (9200?) from the Lambda-SG.
That is, Elasticsearch-SG specifically allows inbound connections from Lambda-SG.
Please note that security group rules apply to each instance individually. Putting two resources 'in' the same security group does not permit access between those resources unless there is a rule that allows inbound access from itself. Thus, it is better to put different security groups on each layer of resources.
There is no need to assign EC2FullAccess permissions to the Lambda function. That is only used to call AWS to do things like launching or terminating EC2 instances.

Why does my Lambda function timeout connecting to SES VPC Endpoint?

Since April 2020, AWS supports VPC endpoints for SES (Simple Email Service.) Despite this, I cannot get a Lambda to communicate with SES using the endpoint. It always times out. Perhaps this is because the SES VPC Endpoints are only supported for EC2 instances in the VPC and not for Lambdas?
I have my infrastructure describe using Terraform, as described in this gist. ses_lambda.tf defines the infrastructure and basically implements this guide. sesTest.js is my Lambda function. terraform-show.out shows the result of terraform show limited just to the resources defined by ses_lambda.tf.
As you can see in ses_lambda.tf, the SES Endpoint's security group allows all traffic on any SMTP port (25, 465, 587, 2465, or 2587) from any IP in the VPC's CIDR block. So I'm confused about why this doesn't work...
It looks like SES VPC endpoints are SMTP endpoints not SES API endpoints. The guide is not explicit about it but it does mention SMTP ports and endpoints.
I created an endpoint and the private DNS name it produced was email-smtp.us-east-1.amazonaws.com (SMTP). SDK tries to connect to email.us-east-1.amazonaws.com (SES API).
It appears that the solution is to either use SMTP or setup NAT Gateway.
Update: Confirming that SMTP works over SES VPC endpoint in Lambda (as exptected).
I was having difficulties with the same setup. The reality is that nzhuk98's answer is the solution but for someone who didn't have experience with this - it did not make sense to me too.
You cannot use AWS SDK's SES methods, even if you adjust the endpoint setting to the Private DNS that was given to you after the VPC endpoint was created.
AWS SDK's SES method uses https only, and the VPC endpoint exposes only the SMTP port of the SES Service. Therefore, you need to opt-out from using AWS SDK completely and switch to something like Nodemailer.
This is what I did https://nodemailer.com/smtp/#1-single-connection
I hope this is useful for the next person that is looking for this.
When I hear AWS timeout issues, the first thing I check is always IAM. Does the Lambda function have an IAM Policy and Execution Role that grants the appropriate permissions to access SES within your account?
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-send-email-ses/

EC2 Instance call from lamda function

hello I want to call a api which is hoisted in Apache server on AWS EC2 server from my lambda function.
I have configured VPC for my lambda function according to my EC2 server instance with same security groups and same zone ,but still no luck.
Thanks in advance.
It appears that your situation is:
You want to make an HTTP/S API call from an AWS Lambda function to an Amazon EC2 instance
The Lambda function has been configured to connect to the same VPC as the EC2 instance
The Lambda function is reporting that it is unable to connect to the EC2 instance
I would recommend:
Create a Security Group (let's call it Lambda-SG) in the same VPC. It does not need any rules.
Configured the Lambda function to use the Security Group (in the Network section)
Create another Security Group (let's call it EC2-SG) and associate it with the EC2 instance. Add a rule that permits inbound access on the desired port, with the source set to ID of Lambda-SG.
That is the EC2-SG is saying that it will accept inbound connects from Lambda-SG on the desired port.
Merely putting resources in the same security group does not necessarily mean they can communicate. There needs to be a specific rule that permits the inbound access. The above method is the best way to do so.

Connect to Elasticsearch Service from Lambda in the same VPC

How can I access an Elasticsearch Service instance from a Lambda function without applying an IAM role?
You will want to configure two Security Groups:
Configure the Lambda function to use the VPC.
Create a Lambda Security Group (Lambda-SG) and configure the Lambda function to use it.
Create an ElasticSearch Security Group (ES-SG) and configure ElasticSearch to use it.
In ES-SG, add a rule to permit inbound connections from Lambda-SG on port 9300 (or whatever port your ES is using).
That is, ES-SG should refer to Lambda-SG to permit inbound connections.
You need to provide an IAM role for a lambda function and provide the IAM role access to ES.
If your Lambda runs within a VPC, you can configure the ElasticSearch access policy to an IP-based policy.
AWS does provide samples for various kinds of access policies.
IP based access policy

Resources