Configuring VPCs for Development Team and Lambda Functions
Question
A start-up firm has created 4 VPC's - VPC-1, VPC-2, VPC-3 & VPC-4 for deploying its AWS resources.
VPC-3 & VPC-4 are used for production environments while VPC-1 & VPC-2 are used for test environments.
The Development Team needs to test a new serverless web application using AWS Lambda.
IT Head wants you to ensure that Development team users only use VPC-1 & VPC-2 for Lambda functions & no resources are being used from VPC-3 & VPC-4. Which of the following settings can be configured to meet this requirement?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A.
AWS Lambda uses Condition keys to specify additional permission controls for the Lambda function.
Following condition keys are supported in IAM policies.
a.
lambda:VpcIds - To allow or deny specific VPC to be used by Lambda functions.
b.
lambda: SubnetIds- To allow or deny a specific subnet in a VPC to be used by Lambda functions.
c.
lambda:SecurityGroupIds- To allow or deny specific security groups to be used by Lambda functions.
Option B & C are incorrect as VPC ID cannot be specified or denied as an input parameter to the Lambda Function.
Option D is incorrect as "aws:SourceVpce" is not supported by Lambda Function.
For more information on specifying VPC for Lambda Function, refer to the following URL-
https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.htmlThe requirement is to ensure that the Development team users only use VPC-1 & VPC-2 for Lambda functions and no resources are being used from VPC-3 & VPC-4. To achieve this, the following settings can be configured:
A. Use IAM Condition keys to specify VPC to be used by Lambda function.
IAM Condition keys can be used to specify VPCs to be used by Lambda functions. This can be achieved by defining a condition in the IAM policy attached to the IAM role used by the Lambda function. The condition should include the VPC IDs of VPC-1 and VPC-2, and should deny access to VPC-3 and VPC-4. This ensures that the Lambda function can only be executed within VPC-1 and VPC-2 and not in VPC-3 and VPC-4.
B. Specify VPC ID of VPC-1 & VPC-2 to be used as input parameters to the CreateFunction request.
When creating a new Lambda function, the VPC ID of VPC-1 and VPC-2 can be specified as input parameters to the CreateFunction request. This ensures that the Lambda function is only created within VPC-1 and VPC-2 and not in VPC-3 and VPC-4.
C. Deny VPC ID of VPC-3 & VPC-4 to be denied as input parameter to the CreateFunction request.
When creating a new Lambda function, the VPC ID of VPC-3 and VPC-4 can be denied as input parameters to the CreateFunction request. This ensures that the Lambda function is not created within VPC-3 and VPC-4.
D. Use IAM "aws:SourceVpce" to specify VPC to be used by Lambda function.
IAM "aws:SourceVpce" can be used to specify the VPCs to be used by the Lambda function. This can be achieved by defining a condition in the IAM policy attached to the IAM role used by the Lambda function. The condition should include the VPC IDs of VPC-1 and VPC-2, and should deny access to VPC-3 and VPC-4. This ensures that the Lambda function can only be executed within VPC-1 and VPC-2 and not in VPC-3 and VPC-4.
Out of the above options, options A, B, and D are valid ways to meet the requirement. Option C is not a valid way to meet the requirement because it does not specify the VPCs to be used by the Lambda function but instead denies the VPCs that should not be used.
