Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Lambda function in isolated VPC subnet can't access SSM parameter

Tags:

amazon-web-services

aws-cdk

I'm super confused about how to use the endpoint for SSM so that Lambda on an isolated subnet can use ssm.GetParameter

According to this issue I need a VPC endpoint for SSM. I tried doing that like so:

// Create a security group:
this.vpcsg = new ec2.SecurityGroup(this, 'vpc-sg', {
  vpc: this.vpc,
  allowAllOutbound: false,
  securityGroupName: 'VPCSecurityGroup'
})

// endpoint creation
this.vpcEndpointSSM = new ec2.InterfaceVpcEndpoint(this, `SSMVpcEndpoint`, {
  service: ec2.InterfaceVpcEndpointAwsService.SSM,
  vpc: this.vpc,
  subnets: { subnetType: ec2.SubnetType.ISOLATED },
  securityGroups: [this.ingressSecurityGroup]
})


// And then later I call...
this.lambdaGQLAPI = new lambda.Function(this, `LambdaAPI`, {
  code: new lambda.AssetCode(lambdaNodePath),
  vpc: this.vpc,
  vpcSubnets: { subnetType: ec2.SubnetType.ISOLATED },
  functionName: this.functions.api,
  handler: 'lambda_graphql.handler',
  memorySize: 256,
  timeout: core.Duration.minutes(2),
  runtime: lambda.Runtime.NODEJS_12_X,
  securityGroups: [props.dbSecurityGroup, this.vpcsg],
})

I also have made sure that the lambda function should be able to access SSM using the policy simulator and that checks out

but then my function just times out trying to access SSM.

like image 630
Raychaser Avatar asked Jun 13 '26 04:06

Raychaser

2 Answers

The Security Group is applied to each resource individually. Security Groups are different to subnets. Resources do not reside "inside" security groups.

Resources in the same Security Group cannot communicate with each other unless there is a specific rule in the security group that grants access from itself.

For example, the security group can have a rule that allows Inbound port 80, with the source being the same security group. This means that a resource with that security group can receive traffic from other resources that are associated with the same security group.

However, it is normally better to define two security groups:

  • One security group on the Lambda function (Lambda-SG) that permits all outbound access
  • One security group on the VPC Endpoint (Endpoint-SG) that permits inbound traffic from Lambda-SG

That is, Endpoint-SG specifically refers to Lambda-SG.

like image 145
John Rotenstein Avatar answered Jun 14 '26 18:06

John Rotenstein

When you don't include the subnets property, it will default to creating enis in your private subnets only

Try creating the SSM interface endpoint in your isolated subnets

this.vpcEndpointSSM = new ec2.InterfaceVpcEndpoint(this, `SSMVpcEndpoint`, {
    service: ec2.InterfaceVpcEndpointAwsService.SSM,
    subnets: ec2.SubnetSelection(
        subnetType: ec2.SubnetType.ISOLATED
    ),
    vpc: this.vpc
})
like image 25
maafk Avatar answered Jun 14 '26 16:06

maafk
Sign in to Comment

Related questions

Amazon batch job process queue

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!