`AWSSupport-TroubleshootLambdaInternetAccess`

Description

The AWSSupport-TroubleshootLambdaInternetAccess runbook helps you troubleshoot internet access issues for a AWS Lambda function that was launched into Amazon Virtual Private Cloud (Amazon VPC). Resources such as subnet routes, security groups rules, and network access control list (ACL) rules are reviewed to confirm outbound internet access is allowed.

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Linux, macOS, Windows

Parameters

AutomationAssumeRole

Type: String

Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
FunctionName

Type: String

Description: (Required) The name of the Lambda function you want to troubleshoot internet access for.
destinationIp

Type: String

Description: (Required) The destination IP address you want to establish an outbound connection to.
destinationPort

Type: String

Default: 443

Description: (Optional) The destination port you want to establish an outbound connection on.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

lambda:GetFunction
ec2:DescribeRouteTables
ec2:DescribeNatGateways
ec2:DescribeSecurityGroups
ec2:DescribeNetworkAcls

Document Steps

aws:executeScript - Verifies the configuration of various resources in your VPC where the Lambda function was launched.
aws:branch - Branches based on whether the Lambda function specified is in a VPC or not.
aws:executeScript - Reviews the route table routes for the subnet where the Lambda function was launched, and verifies that routes to a network address translation (NAT) gateway, and internet gateway are present. Confirms the Lambda function is not in a public subnet.
aws:executeScript - Verifies the security group associated with the Lambda function allows outbound internet access based on the values specified for the destinationIp and destinationPort parameters.
aws:executeScript - Verifies the ACL rules associated with the subnets of the Lambda function and the NAT gateway allow outbound internet access based on the values specified for the destinationIp and destinationPort parameters.

Outputs

checkVpc.vpc - The ID of the VPC where your Lambda function was launched.

checkVpc.subnet - The IDs of the subnets where your Lambda function was launched.

checkVpc.securityGroups - Security groups associated with the Lambda function.

checkNACL.NACL - Analysis message with resource names. LambdaIp refers to the private IP address of the elastic network interface for your Lambda function. The LambdaIpRules object is only generated for subnets that have a route to a NAT gateway. The following content is an example of the output.


{
   "subnet-1234567890":{
      "NACL":"acl-1234567890",
      "destinationIp_Egress":"Allowed",
      "destinationIp_Ingress":"notAllowed",
      "Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress rule. Please allow the destination IP / destionation port in Ingress rule",
      "LambdaIpRules":{
         "{LambdaIp}":{
            "Egress":"notAllowed",
            "Ingress":"notAllowed",
            "Analysis":"This is a NAT subnet NACL. It does not have ingress or egress rule allowed in it for Lambda's corresponding private ip {LambdaIp} Please allow this IP in your egress and ingress NACL rules"
         }
      }
   },
   "subnet-0987654321":{
      "NACL":"acl-0987654321",
      "destinationIp_Egress":"Allowed",
      "destinationIp_Ingress":"notAllowed",
      "Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress rule. Please allow the destination IP / destionation port in Ingress rule"
   }
}

checkSecurityGroups.secgrps - Analysis for the security group associated with your Lambda function. The following content is an example of the output.


{
   "sg-123456789":{
      "Status":"Allowed",
      "Analysis":"This security group has allowed destintion IP and port in its outbuond rule."
   }
}

checkSubnet.subnets - Analysis for the subnets in your VPC associated with your Lambda function. The following content is an example of the output.


{
   "subnet-0c4ee6cdexample15":{
      "Route":{
         "DestinationCidrBlock":"8.8.8.0/26",
         "NatGatewayId":"nat-00f0example69fdec",
         "Origin":"CreateRoute",
         "State":"active"
      },
      "Analysis":"This Route Table has an active NAT gateway path. Also, The NAT gateway is launched in public subnet",
      "RouteTable":"rtb-0b1fexample16961b"
   }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWSSupport-RemediateLambdaS3Event

AWSSupport-TroubleshootLambdaS3Event