Skip to main content

πŸ›‘οΈ AWS Lambda Function is not in multiple Availability Zones🟒

  • Contextual name: πŸ›‘οΈ Function is not in multiple Availability Zones🟒
  • ID: /ce/ca/aws/lambda/function-multi-az
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS Lambda Functions that are not configured to use subnets across multiple Availability Zones (AZs). When a Lambda function is connected to a Virtual Private Cloud (VPC), it depends on the VPC’s networking infrastructure. To ensure high availability, the function should be able to fail over to another AZ in the event of a zonal outage.

Rationale​

If a Lambda function is configured to use subnets in only a single AZ, any disruption affecting that zone can result in function unavailability. Configuring subnets across multiple AZs allows the Lambda service to automatically route execution to an available zone, improving resilience and maintaining application availability.

Audit​

This policy flags an AWS Lambda Function as INCOMPLIANT when the number of associated AWS Lambda Function Subnet Links is fewer than two.

Lambda functions that are not attached to a VPC are marked as INAPPLICABLE and are covered by the AWS Lambda Function is not in a VPC policy.

... see more

Remediation​

Open File

Remediation​

Configure Lambda Function Subnets Across Multiple AZs​

Update the Lambda function’s VPC configuration to include subnets from at least two different Availability Zones. This ensures that the Lambda service can continue executing the function if one AZ becomes unavailable.

From Command Line​

Use the update-function-configuration command and specify subnets from multiple AZs in the --vpc-config parameter:

aws lambda update-function-configuration \
    --function-name {{function-name}} \
    --vpc-config SubnetIds=subnet-id1,subnet-id2,SecurityGroupIds=sg-id
Notes​
  • Ensure that the specified subnets reside in different Availability Zones.
  • Select subnets with network access to required resources such as Amazon RDS, ElastiCache, or internal services.
  • Verify that the associated security group allows the necessary inbound and outbound traffic.
  • If the function requires outbound internet access, ensure the subnets are configured with a NAT Gateway.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Lambda.5] VPC Lambda functions should operate in multiple Availability Zones1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration61no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)15no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)215no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)15no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)115no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations18no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process15no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed15no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed15no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives15no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution615no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy16no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-36 Distributed Processing and Storage29no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability14no data