Reputation: 370
Lambda function in isolated VPC subnet can't access SSM parameter
I'm super confused about how to use the endpoint for SSM so that Lambda on an isolated subnet can use ssm.GetParameter
According to this issue I need a VPC endpoint for SSM. I tried doing that like so:
// Create a security group:
this.vpcsg = new ec2.SecurityGroup(this, 'vpc-sg', {
vpc: this.vpc,
allowAllOutbound: false,
securityGroupName: 'VPCSecurityGroup'
})
// endpoint creation
this.vpcEndpointSSM = new ec2.InterfaceVpcEndpoint(this, `SSMVpcEndpoint`, {
service: ec2.InterfaceVpcEndpointAwsService.SSM,
vpc: this.vpc,
subnets: { subnetType: ec2.SubnetType.ISOLATED },
securityGroups: [this.ingressSecurityGroup]
})
// And then later I call...
this.lambdaGQLAPI = new lambda.Function(this, `LambdaAPI`, {
code: new lambda.AssetCode(lambdaNodePath),
vpc: this.vpc,
vpcSubnets: { subnetType: ec2.SubnetType.ISOLATED },
functionName: this.functions.api,
handler: 'lambda_graphql.handler',
memorySize: 256,
timeout: core.Duration.minutes(2),
runtime: lambda.Runtime.NODEJS_12_X,
securityGroups: [props.dbSecurityGroup, this.vpcsg],
})
I also have made sure that the lambda function should be able to access SSM using the policy simulator and that checks out
but then my function just times out trying to access SSM.
Upvotes: 3
Views: 1802
Answers (2)
Reputation: 270039
The Security Group is applied to each resource individually. Security Groups are different to subnets. Resources do not reside "inside" security groups.
Resources in the same Security Group cannot communicate with each other unless there is a specific rule in the security group that grants access from itself.
For example, the security group can have a rule that allows Inbound port 80, with the source being the same security group. This means that a resource with that security group can receive traffic from other resources that are associated with the same security group.
However, it is normally better to define two security groups:
- One security group on the Lambda function (
Lambda-SG) that permits all outbound access - One security group on the VPC Endpoint (
Endpoint-SG) that permits inbound traffic fromLambda-SG
That is, Endpoint-SG specifically refers to Lambda-SG.
Upvotes: 3
Reputation: 6896
When you don't include the subnets property, it will default to creating enis in your private subnets only
Try creating the SSM interface endpoint in your isolated subnets
this.vpcEndpointSSM = new ec2.InterfaceVpcEndpoint(this, `SSMVpcEndpoint`, {
service: ec2.InterfaceVpcEndpointAwsService.SSM,
subnets: ec2.SubnetSelection(
subnetType: ec2.SubnetType.ISOLATED
),
vpc: this.vpc
})
Upvotes: 2
Related Questions
- Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet?
- Lambda function in multiple subnets
- Invoking a Lambda function from another Lambda Function Inside of a VPC
- AWS Lambda not reaching SSM service with VPC Endpoint
- Accessing AWS services from a lambda in a private subnet
- aws cdk lambda is not bound when an api-gatewayv2 from a shared resource is used
- AWS Lambda Function in VPC Not Working With S3 Endpoint
- Issue with VPC attached to Lambda function
- How to debug connection issue: Connecting to SSM VPC Endpoint from Lambda Function in VPC
- AWS Lambda Function with VPC only works when in Private Subnet