A config rule that checks whether the AWS Lambda function is in a VPC or not. The rule is NON_COMPLIANT if the Lambda function is not in a VPC.
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
CustomConfigRule:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: lambda_inside_vpc
Description: >-
A config rule that checks whether the AWS Lambda function is in a VPC or
not. The rule is NON_COMPLIANT if the Lambda function is not in a VPC.
Scope:
ComplianceResourceTypes:
- 'AWS::Lambda::Function'
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier:
'Fn::GetAtt':
- LambdaFunction
- Arn
SourceDetails:
- EventSource: aws.config
MessageType: ConfigurationItemChangeNotification
- EventSource: aws.config
MessageType: OversizedConfigurationItemChangeNotification
DependsOn: LambdaInvokePermissions
LambdaInvokePermissions:
Type: 'AWS::Lambda::Permission'
Properties:
FunctionName:
'Fn::GetAtt':
- LambdaFunction
- Arn
Action: 'lambda:InvokeFunction'
Principal: config.amazonaws.com
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: LambdaForlambda_inside_vpc
Handler: index.lambda_handler
Role:
'Fn::GetAtt':
- LambdaIamRole
- Arn
Runtime: python3.6
Code:
S3Bucket:
'Fn::Sub':
- 'asecure-cloud-cf-aux-${Region}'
- Region:
Ref: 'AWS::Region'
S3Key: LAMBDA_INSIDE_VPC.zip
Timeout: 300
DependsOn: LambdaIamRole
LambdaIamRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies: []
RoleName: IAMRoleForlambda_inside_vpcUiz
Parameters: {}
Metadata: {}
Conditions: {}
Configuration Source: AWS Config Rule Repository
Additional Documentation: