This repo is the companion to Breaking down the AWS Lambda Shared Responsibility model.
It creates
- An Amazon S3 bucket
- A VPC - 10.192.0.0/24
- Two private subnets - 10.192.0.0/26 and 10.192.0.64/26
- Security Groups
- A VPC Endpoint for S3
- VPC Flow Logs to CloudWatch so you can audit the traffic generated
- And of course the Lambda inside the VPC
Diagram - courtesy of CloudMapper
The Lambda will periodically write files to an S3 Bucket.
We're using serverless to deploy an AWS Lambda inside a VPC. All traffic stays within AWS PrivateLink using VPC endpoints. The rest of the resources are built using CloudFormation.
A benefit of this pattern - and of the serverless framework - is that we separate the infrastructure from the code/serverless deployment.
npm install [email protected]
cd VPCLambda
serverless deploy --stage="dev" -v🎉
You will need to delete the objects from the bucket, otherwise the stack will not be able to delete the bucket.
serveless remove --stage="dev" -v- A good starting point for working with Lambdas
- A playground environment
- KMS CMKs
- Exhaustive optimisation
- Enforcing this model/Landing Zone
- If you get an error about PrefixLists, make sure that the Prefix List for S3 is invalid, you'll have to change it under PrefixListId. Currently CloudFormation doesn't support getting the PrefixListId and the only solution is to deploy AWS CloudFormation Lambda-backed Custom Resource for retrieving the PrefixListID which would make this repo a lot more complicated than I intended.