if lambda function inside a VPC can access the Elastic search in same VPC without the AWSLambdaVPCAccessExecutionRole

Question

Is this possible that AWS lambda service inside a VPC can access the elasticsearch service inside a same VPC without applying AWSLambdaVPCAccessExecutionRole? I don't know whether its possible or not? Please tell me the procedure if any one know.

Answer 1

To access resources within your VPC you need to specify subnets and/or security for your lambda-function as described in the official documentation.

Subnets determine the VPC and AZ your function will be run in (or at least where its Elastic Network Interface - ENI will be created). The associated security groups determine, ports of other resources in your VPC can be accessed.

As to your AWSLambdaVPCAccessExecutionPolicy the documentation states:

AWSLambdaVPCAccessExecutionRole – Grants permissions for Amazon Elastic Compute Cloud (Amazon EC2) actions to manage elastic network interfaces (ENIs). If you are writing a Lambda function to access resources in a VPC in the Amazon Virtual Private Cloud (Amazon VPC) service, you can attach this permissions policy. The policy also grants permissions for CloudWatch Logs actions to write logs.

I don't have access to my account currently, but google tells me that the policy document looks something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

This means that the Policy grants the permission to create the aforementioned Elastic Network Interface in your VPC and as such would be necessary, because without a Network Interface inside the VPC you can't get access to these private resources.