Lambda function in isolated VPC subnet can't access SSM parameter

Question

I'm super confused about how to use the endpoint for SSM so that Lambda on an isolated subnet can use ssm.GetParameter

According to this issue I need a VPC endpoint for SSM. I tried doing that like so:

// Create a security group:
this.vpcsg = new ec2.SecurityGroup(this, 'vpc-sg', {
  vpc: this.vpc,
  allowAllOutbound: false,
  securityGroupName: 'VPCSecurityGroup'
})

// endpoint creation
this.vpcEndpointSSM = new ec2.InterfaceVpcEndpoint(this, `SSMVpcEndpoint`, {
  service: ec2.InterfaceVpcEndpointAwsService.SSM,
  vpc: this.vpc,
  subnets: { subnetType: ec2.SubnetType.ISOLATED },
  securityGroups: [this.ingressSecurityGroup]
})


// And then later I call...
this.lambdaGQLAPI = new lambda.Function(this, `LambdaAPI`, {
  code: new lambda.AssetCode(lambdaNodePath),
  vpc: this.vpc,
  vpcSubnets: { subnetType: ec2.SubnetType.ISOLATED },
  functionName: this.functions.api,
  handler: 'lambda_graphql.handler',
  memorySize: 256,
  timeout: core.Duration.minutes(2),
  runtime: lambda.Runtime.NODEJS_12_X,
  securityGroups: [props.dbSecurityGroup, this.vpcsg],
})

I also have made sure that the lambda function should be able to access SSM using the policy simulator and that checks out

but then my function just times out trying to access SSM.

Do you have a Security Group associated with the SSM VPC Endpoint? It should permit inbound access from the Lambda security group. — John Rotenstein, Feb 09 '21 at 01:47
I think you may be onto something. I made the changes (above) but it's still not connecting. Is it not enough just to put lambda and the endpoint in the same SG? — Raychaser, Feb 09 '21 at 15:43

score 3 · Accepted Answer · answered Feb 10 '21 at 00:41

The Security Group is applied to each resource individually. Security Groups are different to subnets. Resources do not reside "inside" security groups.

Resources in the same Security Group cannot communicate with each other unless there is a specific rule in the security group that grants access from itself.

For example, the security group can have a rule that allows Inbound port 80, with the source being the same security group. This means that a resource with that security group can receive traffic from other resources that are associated with the same security group.

However, it is normally better to define two security groups:

One security group on the Lambda function (Lambda-SG) that permits all outbound access
One security group on the VPC Endpoint (Endpoint-SG) that permits inbound traffic from Lambda-SG

That is, Endpoint-SG specifically refers to Lambda-SG.

i did that, but the lambda func still isn't connecting to SSM, do i need to set any inbound access on the Lambda-SG? — Naguib Ihab, Jul 12 '22 at 14:49

score 2 · Answer 2 · answered Feb 09 '21 at 11:51

2

When you don't include the subnets property, it will default to creating enis in your private subnets only

Try creating the SSM interface endpoint in your isolated subnets

this.vpcEndpointSSM = new ec2.InterfaceVpcEndpoint(this, `SSMVpcEndpoint`, {
    service: ec2.InterfaceVpcEndpointAwsService.SSM,
    subnets: ec2.SubnetSelection(
        subnetType: ec2.SubnetType.ISOLATED
    ),
    vpc: this.vpc
})

answered Feb 09 '21 at 11:51

maafk

6,176
5
35
58

I think normally this would be right but I don't have any private subnets, only isolated and public so the cdk creation of endpoints did put them in my isolated networks. I have updated my code though, just to be explicit. Thanks – Raychaser Feb 09 '21 at 15:45
Oh, and it really didn't like that syntax (I'm in typescript) so I havd to go with `subnets: { subnetType: ec2.SubnetType.ISOLATED }` – Raychaser Feb 09 '21 at 15:48

Lambda function in isolated VPC subnet can't access SSM parameter

2 Answers2