FunctionOptions

class aws_cdk.aws_lambda.FunctionOptions(*, max_event_age=None, on_failure=None, on_success=None, retry_attempts=None, adot_instrumentation=None, allow_all_ipv6_outbound=None, allow_all_outbound=None, allow_public_subnet=None, application_log_level=None, application_log_level_v2=None, architecture=None, code_signing_config=None, current_version_options=None, dead_letter_queue=None, dead_letter_queue_enabled=None, dead_letter_topic=None, description=None, environment=None, environment_encryption=None, ephemeral_storage_size=None, events=None, filesystem=None, function_name=None, initial_policy=None, insights_version=None, ipv6_allowed_for_dual_stack=None, layers=None, log_format=None, logging_format=None, log_group=None, log_removal_policy=None, log_retention=None, log_retention_retry_options=None, log_retention_role=None, memory_size=None, params_and_secrets=None, profiling=None, profiling_group=None, recursive_loop=None, reserved_concurrent_executions=None, role=None, runtime_management_mode=None, security_groups=None, snap_start=None, system_log_level=None, system_log_level_v2=None, timeout=None, tracing=None, vpc=None, vpc_subnets=None)

Bases: EventInvokeConfigOptions

Non runtime options.

Parameters:

max_event_age (Optional[Duration]) – The maximum age of a request that Lambda sends to a function for processing. Minimum: 60 seconds Maximum: 6 hours Default: Duration.hours(6)
on_failure (Optional[IDestination]) – The destination for failed invocations. Default: - no destination
on_success (Optional[IDestination]) – The destination for successful invocations. Default: - no destination
retry_attempts (Union[int, float, None]) – The maximum number of times to retry when the function returns an error. Minimum: 0 Maximum: 2 Default: 2
adot_instrumentation (Union[AdotInstrumentationConfig, Dict[str, Any], None]) – Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
allow_all_ipv6_outbound (Optional[bool]) – Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the securityGroups or securityGroup property is set. Instead, configure allowAllIpv6Outbound directly on the security group. Default: false
allow_all_outbound (Optional[bool]) – Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the securityGroups or securityGroup property is set. Instead, configure allowAllOutbound directly on the security group. Default: true
allow_public_subnet (Optional[bool]) – Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
application_log_level (Optional[str]) – (deprecated) Sets the application log level for the function. Default: “INFO”
application_log_level_v2 (Optional[ApplicationLogLevel]) – Sets the application log level for the function. Default: ApplicationLogLevel.INFO
architecture (Optional[Architecture]) – The system architectures compatible with this lambda function. Default: Architecture.X86_64
code_signing_config (Optional[ICodeSigningConfigRef]) – Code signing config associated with this function. Default: - Not Sign the Code
current_version_options (Union[VersionOptions, Dict[str, Any], None]) – Options for the lambda.Version resource automatically created by the fn.currentVersion method. Default: - default options as described in VersionOptions
dead_letter_queue (Optional[IQueue]) – The SQS queue to use if DLQ is enabled. If SNS topic is desired, specify deadLetterTopic property instead. Default: - SQS queue with 14 day retention period if deadLetterQueueEnabled is true
dead_letter_queue_enabled (Optional[bool]) – Enabled DLQ. If deadLetterQueue is undefined, an SQS queue with default options will be defined for your Function. Default: - false unless deadLetterQueue is set, which implies DLQ is enabled.
dead_letter_topic (Optional[ITopic]) – The SNS topic to use as a DLQ. Note that if deadLetterQueueEnabled is set to true, an SQS queue will be created rather than an SNS topic. Using an SNS topic as a DLQ requires this property to be set explicitly. Default: - no SNS topic
description (Optional[str]) – A description of the function. Default: - No description.
environment (Optional[Mapping[str, str]]) – Key-value pairs that Lambda caches and makes available for your Lambda functions. Use environment variables to apply configuration changes, such as test and production environment configurations, without changing your Lambda function source code. Default: - No environment variables.
environment_encryption (Optional[IKeyRef]) – The AWS KMS key that’s used to encrypt your function’s environment variables. Default: - AWS Lambda creates and uses an AWS managed customer master key (CMK).
ephemeral_storage_size (Optional[Size]) – The size of the function’s /tmp directory in MiB. Default: 512 MiB
events (Optional[Sequence[IEventSource]]) – Event sources for this function. You can also add event sources using addEventSource. Default: - No event sources.
filesystem (Optional[FileSystem]) – The filesystem configuration for the lambda function. Default: - will not mount any filesystem
function_name (Optional[str]) – A name for the function. Default: - AWS CloudFormation generates a unique physical ID and uses that ID for the function’s name. For more information, see Name Type.
initial_policy (Optional[Sequence[PolicyStatement]]) – Initial policy statements to add to the created Lambda Role. You can call addToRolePolicy to the created lambda to add statements post creation. Default: - No policy statements are added to the created Lambda role.
insights_version (Optional[LambdaInsightsVersion]) – Specify the version of CloudWatch Lambda insights to use for monitoring. Default: - No Lambda Insights
ipv6_allowed_for_dual_stack (Optional[bool]) – Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets. Only used if ‘vpc’ is supplied. Default: false
layers (Optional[Sequence[ILayerVersion]]) – A list of layers to add to the function’s execution environment. You can configure your Lambda function to pull in additional code during initialization in the form of layers. Layers are packages of libraries or other dependencies that can be used by multiple functions. Default: - No layers.
log_format (Optional[str]) – (deprecated) Sets the logFormat for the function. Default: “Text”
logging_format (Optional[LoggingFormat]) – Sets the loggingFormat for the function. Default: LoggingFormat.TEXT
log_group (Optional[ILogGroup]) – The log group the function sends logs to. By default, Lambda functions send logs to an automatically created default log group named /aws/lambda/<function name>. However you cannot change the properties of this auto-created log group using the AWS CDK, e.g. you cannot set a different log retention. Use the logGroup property to create a fully customizable LogGroup ahead of time, and instruct the Lambda function to send logs to it. Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first. Default: /aws/lambda/${this.functionName} - default log group created by Lambda
log_removal_policy (Optional[RemovalPolicy]) – (deprecated) Determine the removal policy of the log group that is auto-created by this construct. Normally you want to retain the log group so you can diagnose issues from logs even after a deployment that no longer includes the log group. In that case, use the normal date-based retention policy to age out your logs. Default: RemovalPolicy.Retain
log_retention (Optional[RetentionDays]) – (deprecated) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn’t remove the log retention policy. To remove the retention policy, set the value to INFINITE. This is a legacy API and we strongly recommend you move away from it if you can. Instead create a fully customizable log group with logs.LogGroup and use the logGroup property to instruct the Lambda function to send logs to it. Migrating from logRetention to logGroup will cause the name of the log group to change. Users and code and referencing the name verbatim will have to adjust. In AWS CDK code, you can access the log group name directly from the LogGroup construct:: import * as logs from ‘aws-cdk-lib/aws-logs’; declare const myLogGroup: logs.LogGroup; myLogGroup.logGroupName; Default: logs.RetentionDays.INFINITE
log_retention_retry_options (Union[LogRetentionRetryOptions, Dict[str, Any], None]) – When log retention is specified, a custom resource attempts to create the CloudWatch log group. These options control the retry policy when interacting with CloudWatch APIs. This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it. Default: - Default AWS SDK retry options.
log_retention_role (Optional[IRole]) – The IAM role for the Lambda function associated with the custom resource that sets the retention policy. This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it. Default: - A new role is created.
memory_size (Union[int, float, None]) – The amount of memory, in MB, that is allocated to your Lambda function. Lambda uses this value to proportionally allocate the amount of CPU power. For more information, see Resource Model in the AWS Lambda Developer Guide. Default: 128
params_and_secrets (Optional[ParamsAndSecretsLayerVersion]) – Specify the configuration of Parameters and Secrets Extension. Default: - No Parameters and Secrets Extension
profiling (Optional[bool]) – Enable profiling. Default: - No profiling.
profiling_group (Optional[IProfilingGroup]) – Profiling Group. Default: - A new profiling group will be created if profiling is set.
recursive_loop (Optional[RecursiveLoop]) – Sets the Recursive Loop Protection for Lambda Function. It lets Lambda detect and terminate unintended recursive loops. Default: RecursiveLoop.Terminate
reserved_concurrent_executions (Union[int, float, None]) – The maximum of concurrent executions you want to reserve for the function. Default: - No specific limit - account limit.
role (Optional[IRole]) – Lambda execution role. This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the ‘lambda.amazonaws.com’ service principal. The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself. The relevant managed policies are “service-role/AWSLambdaBasicExecutionRole” and “service-role/AWSLambdaVPCAccessExecutionRole”. Default: - A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling addToRolePolicy.
runtime_management_mode (Optional[RuntimeManagementMode]) – Sets the runtime management configuration for a function’s version. Default: Auto
security_groups (Optional[Sequence[ISecurityGroup]]) – The list of security groups to associate with the Lambda’s network interfaces. Only used if ‘vpc’ is supplied. Default: - If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
snap_start (Optional[SnapStartConf]) – Enable SnapStart for Lambda Function. SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime Default: - No snapstart
system_log_level (Optional[str]) – (deprecated) Sets the system log level for the function. Default: “INFO”
system_log_level_v2 (Optional[SystemLogLevel]) – Sets the system log level for the function. Default: SystemLogLevel.INFO
timeout (Optional[Duration]) – The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function’s expected execution time. Default: Duration.seconds(3)
tracing (Optional[Tracing]) – Enable AWS X-Ray Tracing for Lambda Function. Default: Tracing.Disabled
vpc (Optional[IVpc]) – VPC network to place Lambda network interfaces. Specify this if the Lambda function needs to access resources in a VPC. This is required when vpcSubnets is specified. Default: - Function is not placed within a VPC.
vpc_subnets (Union[SubnetSelection, Dict[str, Any], None]) – Where to place the network interfaces within the VPC. This requires vpc to be specified in order for interfaces to actually be placed in the subnets. If vpc is not specify, this will raise an error. Note: Internet access for Lambda Functions requires a NAT Gateway, so picking public subnets is not allowed (unless allowPublicSubnet is set to true). Default: - the Vpc default strategy if not specified

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
import aws_cdk as cdk
from aws_cdk import aws_codeguruprofiler as codeguruprofiler
from aws_cdk import aws_ec2 as ec2
from aws_cdk import aws_iam as iam
from aws_cdk import aws_kms as kms
from aws_cdk import aws_lambda as lambda_
from aws_cdk import aws_logs as logs
from aws_cdk import aws_sns as sns
from aws_cdk import aws_sqs as sqs

# adot_layer_version: lambda.AdotLayerVersion
# architecture: lambda.Architecture
# code_signing_config_ref: lambda.ICodeSigningConfigRef
# destination: lambda.IDestination
# event_source: lambda.IEventSource
# file_system: lambda.FileSystem
# key_ref: kms.IKeyRef
# lambda_insights_version: lambda.LambdaInsightsVersion
# layer_version: lambda.LayerVersion
# log_group: logs.LogGroup
# params_and_secrets_layer_version: lambda.ParamsAndSecretsLayerVersion
# policy_statement: iam.PolicyStatement
# profiling_group: codeguruprofiler.ProfilingGroup
# queue: sqs.Queue
# role: iam.Role
# runtime_management_mode: lambda.RuntimeManagementMode
# security_group: ec2.SecurityGroup
# size: cdk.Size
# snap_start_conf: lambda.SnapStartConf
# subnet: ec2.Subnet
# subnet_filter: ec2.SubnetFilter
# topic: sns.Topic
# vpc: ec2.Vpc

function_options = lambda.FunctionOptions(
    adot_instrumentation=lambda.AdotInstrumentationConfig(
        exec_wrapper=lambda_.AdotLambdaExecWrapper.REGULAR_HANDLER,
        layer_version=adot_layer_version
    ),
    allow_all_ipv6_outbound=False,
    allow_all_outbound=False,
    allow_public_subnet=False,
    application_log_level="applicationLogLevel",
    application_log_level_v2=lambda_.ApplicationLogLevel.INFO,
    architecture=architecture,
    code_signing_config=code_signing_config_ref,
    current_version_options=lambda.VersionOptions(
        code_sha256="codeSha256",
        description="description",
        max_event_age=cdk.Duration.minutes(30),
        on_failure=destination,
        on_success=destination,
        provisioned_concurrent_executions=123,
        removal_policy=cdk.RemovalPolicy.DESTROY,
        retry_attempts=123
    ),
    dead_letter_queue=queue,
    dead_letter_queue_enabled=False,
    dead_letter_topic=topic,
    description="description",
    environment={
        "environment_key": "environment"
    },
    environment_encryption=key_ref,
    ephemeral_storage_size=size,
    events=[event_source],
    filesystem=file_system,
    function_name="functionName",
    initial_policy=[policy_statement],
    insights_version=lambda_insights_version,
    ipv6_allowed_for_dual_stack=False,
    layers=[layer_version],
    log_format="logFormat",
    logging_format=lambda_.LoggingFormat.TEXT,
    log_group=log_group,
    log_removal_policy=cdk.RemovalPolicy.DESTROY,
    log_retention=logs.RetentionDays.ONE_DAY,
    log_retention_retry_options=lambda.LogRetentionRetryOptions(
        base=cdk.Duration.minutes(30),
        max_retries=123
    ),
    log_retention_role=role,
    max_event_age=cdk.Duration.minutes(30),
    memory_size=123,
    on_failure=destination,
    on_success=destination,
    params_and_secrets=params_and_secrets_layer_version,
    profiling=False,
    profiling_group=profiling_group,
    recursive_loop=lambda_.RecursiveLoop.ALLOW,
    reserved_concurrent_executions=123,
    retry_attempts=123,
    role=role,
    runtime_management_mode=runtime_management_mode,
    security_groups=[security_group],
    snap_start=snap_start_conf,
    system_log_level="systemLogLevel",
    system_log_level_v2=lambda_.SystemLogLevel.INFO,
    timeout=cdk.Duration.minutes(30),
    tracing=lambda_.Tracing.ACTIVE,
    vpc=vpc,
    vpc_subnets=ec2.SubnetSelection(
        availability_zones=["availabilityZones"],
        one_per_az=False,
        subnet_filters=[subnet_filter],
        subnet_group_name="subnetGroupName",
        subnets=[subnet],
        subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
    )
)

Attributes

adot_instrumentation

Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation.

Default:

No ADOT instrumentation

See:

https://aws-otel.github.io/docs/getting-started/lambda

allow_all_ipv6_outbound

Whether to allow the Lambda to send all ipv6 network traffic.

If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6.

Do not specify this property if the securityGroups or securityGroup property is set. Instead, configure allowAllIpv6Outbound directly on the security group.

Default:: false

allow_all_outbound

Whether to allow the Lambda to send all network traffic (except ipv6).

If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets.

Do not specify this property if the securityGroups or securityGroup property is set. Instead, configure allowAllOutbound directly on the security group.

Default:: true

allow_public_subnet

Lambda Functions in a public subnet can NOT access the internet.

Use this property to acknowledge this limitation and still place the function in a public subnet.

Default:: false
See:: https://stackoverflow.com/questions/52992085/why-cant-an-aws-lambda-function-inside-a-public-subnet-in-a-vpc-connect-to-the/52994841#52994841

application_log_level

(deprecated) Sets the application log level for the function.

Default:: “INFO”
Deprecated:: Use applicationLogLevelV2 as a property instead.
Stability:: deprecated

application_log_level_v2

Sets the application log level for the function.

Default:: ApplicationLogLevel.INFO

architecture

The system architectures compatible with this lambda function.

Default:: Architecture.X86_64

code_signing_config

Code signing config associated with this function.

Default:

Not Sign the Code

current_version_options

Options for the lambda.Version resource automatically created by the fn.currentVersion method.

Default:

default options as described in VersionOptions

dead_letter_queue

The SQS queue to use if DLQ is enabled.

If SNS topic is desired, specify deadLetterTopic property instead.

Default:

SQS queue with 14 day retention period if deadLetterQueueEnabled is true

dead_letter_queue_enabled

Enabled DLQ.

If deadLetterQueue is undefined, an SQS queue with default options will be defined for your Function.

Default:

false unless deadLetterQueue is set, which implies DLQ is enabled.

dead_letter_topic

The SNS topic to use as a DLQ.

Note that if deadLetterQueueEnabled is set to true, an SQS queue will be created rather than an SNS topic. Using an SNS topic as a DLQ requires this property to be set explicitly.

Default:

no SNS topic

description

A description of the function.

Default:

No description.

environment

Key-value pairs that Lambda caches and makes available for your Lambda functions.

Use environment variables to apply configuration changes, such as test and production environment configurations, without changing your Lambda function source code.

Default:

No environment variables.

environment_encryption

The AWS KMS key that’s used to encrypt your function’s environment variables.

Default:

AWS Lambda creates and uses an AWS managed customer master key (CMK).

ephemeral_storage_size

The size of the function’s /tmp directory in MiB.

Default:: 512 MiB

events

Event sources for this function.

You can also add event sources using addEventSource.

Default:

No event sources.

filesystem

The filesystem configuration for the lambda function.

Default:

will not mount any filesystem

function_name

A name for the function.

Default:

AWS CloudFormation generates a unique physical ID and uses that

ID for the function’s name. For more information, see Name Type.

initial_policy

Initial policy statements to add to the created Lambda Role.

You can call addToRolePolicy to the created lambda to add statements post creation.

Default:

No policy statements are added to the created Lambda role.

insights_version

Specify the version of CloudWatch Lambda insights to use for monitoring.

Default:

No Lambda Insights

See:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-Getting-Started-docker.html

ipv6_allowed_for_dual_stack

Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.

Only used if ‘vpc’ is supplied.

Default:: false

layers

A list of layers to add to the function’s execution environment.

You can configure your Lambda function to pull in additional code during initialization in the form of layers. Layers are packages of libraries or other dependencies that can be used by multiple functions.

Default:

No layers.

log_format

(deprecated) Sets the logFormat for the function.

Default:: “Text”
Deprecated:: Use loggingFormat as a property instead.
Stability:: deprecated

log_group

The log group the function sends logs to.

By default, Lambda functions send logs to an automatically created default log group named /aws/lambda/. However you cannot change the properties of this auto-created log group using the AWS CDK, e.g. you cannot set a different log retention.

Use the logGroup property to create a fully customizable LogGroup ahead of time, and instruct the Lambda function to send logs to it.

Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first.

Default:: /aws/lambda/${this.functionName} - default log group created by Lambda

log_removal_policy

(deprecated) Determine the removal policy of the log group that is auto-created by this construct.

Normally you want to retain the log group so you can diagnose issues from logs even after a deployment that no longer includes the log group. In that case, use the normal date-based retention policy to age out your logs.

Default:: RemovalPolicy.Retain
Deprecated:: use logGroup instead
Stability:: deprecated

log_retention

(deprecated) The number of days log events are kept in CloudWatch Logs.

When updating this property, unsetting it doesn’t remove the log retention policy. To remove the retention policy, set the value to INFINITE.

This is a legacy API and we strongly recommend you move away from it if you can. Instead create a fully customizable log group with logs.LogGroup and use the logGroup property to instruct the Lambda function to send logs to it. Migrating from logRetention to logGroup will cause the name of the log group to change. Users and code and referencing the name verbatim will have to adjust.

In AWS CDK code, you can access the log group name directly from the LogGroup construct:

import aws_cdk.aws_logs as logs

# my_log_group: logs.LogGroup

my_log_group.log_group_name

Default:: logs.RetentionDays.INFINITE
Deprecated:: use logGroup instead
Stability:: deprecated

log_retention_retry_options

When log retention is specified, a custom resource attempts to create the CloudWatch log group.

These options control the retry policy when interacting with CloudWatch APIs.

This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.

Default:

Default AWS SDK retry options.

log_retention_role

The IAM role for the Lambda function associated with the custom resource that sets the retention policy.

This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.

Default:

A new role is created.

logging_format

Sets the loggingFormat for the function.

Default:: LoggingFormat.TEXT

max_event_age

The maximum age of a request that Lambda sends to a function for processing.

Minimum: 60 seconds Maximum: 6 hours

Default:: Duration.hours(6)

memory_size

The amount of memory, in MB, that is allocated to your Lambda function.

Lambda uses this value to proportionally allocate the amount of CPU power. For more information, see Resource Model in the AWS Lambda Developer Guide.

Default:: 128

on_failure

The destination for failed invocations.

Default:

no destination

on_success

The destination for successful invocations.

Default:

no destination

params_and_secrets

Specify the configuration of Parameters and Secrets Extension.

Default:

No Parameters and Secrets Extension

See:

https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html

profiling

Enable profiling.

Default:

No profiling.

See:

https://docs.aws.amazon.com/codeguru/latest/profiler-ug/setting-up-lambda.html

profiling_group

Profiling Group.

Default:

A new profiling group will be created if profiling is set.

See:

https://docs.aws.amazon.com/codeguru/latest/profiler-ug/setting-up-lambda.html

recursive_loop

Sets the Recursive Loop Protection for Lambda Function.

It lets Lambda detect and terminate unintended recursive loops.

Default:: RecursiveLoop.Terminate

reserved_concurrent_executions

The maximum of concurrent executions you want to reserve for the function.

Default:

No specific limit - account limit.

See:

https://docs.aws.amazon.com/lambda/latest/dg/concurrent-executions.html

retry_attempts

The maximum number of times to retry when the function returns an error.

Minimum: 0 Maximum: 2

Default:: 2

role

Lambda execution role.

This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the ‘lambda.amazonaws.com’ service principal.

The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself.

The relevant managed policies are “service-role/AWSLambdaBasicExecutionRole” and “service-role/AWSLambdaVPCAccessExecutionRole”.

Default:

A unique role will be generated for this lambda function.

Both supplied and generated roles can always be changed by calling addToRolePolicy.

runtime_management_mode

Sets the runtime management configuration for a function’s version.

Default:: Auto

security_groups

The list of security groups to associate with the Lambda’s network interfaces.

Only used if ‘vpc’ is supplied.

Default:

If the function is placed within a VPC and a security group is

not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.

snap_start

Enable SnapStart for Lambda Function.

SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime

Default:

No snapstart

system_log_level

(deprecated) Sets the system log level for the function.

Default:: “INFO”
Deprecated:: Use systemLogLevelV2 as a property instead.
Stability:: deprecated

system_log_level_v2

Sets the system log level for the function.

Default:: SystemLogLevel.INFO

timeout

The function execution time (in seconds) after which Lambda terminates the function.

Because the execution time affects cost, set this value based on the function’s expected execution time.

Default:: Duration.seconds(3)

tracing

Enable AWS X-Ray Tracing for Lambda Function.

Default:: Tracing.Disabled

vpc

VPC network to place Lambda network interfaces.

Specify this if the Lambda function needs to access resources in a VPC. This is required when vpcSubnets is specified.

Default:

Function is not placed within a VPC.

vpc_subnets

Where to place the network interfaces within the VPC.

This requires vpc to be specified in order for interfaces to actually be placed in the subnets. If vpc is not specify, this will raise an error.

Note: Internet access for Lambda Functions requires a NAT Gateway, so picking public subnets is not allowed (unless allowPublicSubnet is set to true).

Default:

the Vpc default strategy if not specified