AWSSupport-TroubleshootLambdaInternetAccess
Description
 The AWSSupport-TroubleshootLambdaInternetAccess runbook helps you
                troubleshoot internet access issues for a AWS Lambda function that was launched into
                Amazon Virtual Private Cloud (Amazon VPC). Resources such as subnet routes, security groups rules, and
                network access control list (ACL) rules are reviewed to confirm outbound internet
                access is allowed. 
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
- 
                    AutomationAssumeRole Type: String Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook. 
- 
                    FunctionName Type: String Description: (Required) The name of the Lambda function you want to troubleshoot internet access for. 
- 
                    destinationIp Type: String Description: (Required) The destination IP address you want to establish an outbound connection to. 
- 
                    destinationPort Type: String Default: 443 Description: (Optional) The destination port you want to establish an outbound connection on. 
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to
                 use the runbook successfully.
- 
                    lambda:GetFunction
- 
                    ec2:DescribeRouteTables
- 
                    ec2:DescribeNatGateways
- 
                    ec2:DescribeSecurityGroups
- 
                    ec2:DescribeNetworkAcls
Document Steps
- 
                    aws:executeScript- Verifies the configuration of various resources in your VPC where the Lambda function was launched.
- 
                    aws:branch- Branches based on whether the Lambda function specified is in a VPC or not.
- 
                    aws:executeScript- Reviews the route table routes for the subnet where the Lambda function was launched, and verifies that routes to a network address translation (NAT) gateway, and internet gateway are present. Confirms the Lambda function is not in a public subnet.
- 
                    aws:executeScript- Verifies the security group associated with the Lambda function allows outbound internet access based on the values specified for thedestinationIpanddestinationPortparameters.
- 
                    aws:executeScript- Verifies the ACL rules associated with the subnets of the Lambda function and the NAT gateway allow outbound internet access based on the values specified for thedestinationIpanddestinationPortparameters.
Outputs
checkVpc.vpc - The ID of the VPC where your Lambda function was launched.
checkVpc.subnet - The IDs of the subnets where your Lambda function was launched.
checkVpc.securityGroups - Security groups associated with the Lambda function.
 checkNACL.NACL - Analysis message with resource names. LambdaIp
                refers to the private IP address of the elastic network interface for your Lambda
                function. The LambdaIpRules object is only generated for subnets that
                have a route to a NAT gateway. The following content is an example of the output. 
{ "subnet-1234567890":{ "NACL":"acl-1234567890", "destinationIp_Egress":"Allowed", "destinationIp_Ingress":"notAllowed", "Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress rule. Please allow the destination IP / destionation port in Ingress rule", "LambdaIpRules":{ "{LambdaIp}":{ "Egress":"notAllowed", "Ingress":"notAllowed", "Analysis":"This is a NAT subnet NACL. It does not have ingress or egress rule allowed in it for Lambda's corresponding private ip {LambdaIp} Please allow this IP in your egress and ingress NACL rules" } } }, "subnet-0987654321":{ "NACL":"acl-0987654321", "destinationIp_Egress":"Allowed", "destinationIp_Ingress":"notAllowed", "Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress rule. Please allow the destination IP / destionation port in Ingress rule" } }
checkSecurityGroups.secgrps - Analysis for the security group associated with your Lambda function. The following content is an example of the output.
{ "sg-123456789":{ "Status":"Allowed", "Analysis":"This security group has allowed destintion IP and port in its outbuond rule." } }
checkSubnet.subnets - Analysis for the subnets in your VPC associated with your Lambda function. The following content is an example of the output.
{ "subnet-0c4ee6cdexample15":{ "Route":{ "DestinationCidrBlock":"8.8.8.0/26", "NatGatewayId":"nat-00f0example69fdec", "Origin":"CreateRoute", "State":"active" }, "Analysis":"This Route Table has an active NAT gateway path. Also, The NAT gateway is launched in public subnet", "RouteTable":"rtb-0b1fexample16961b" } }