Skip to main content
emnode / learn
Compliance Low severity

AWS Security Hub · Lambda

Lambda.3: Lambda functions should be in a VPC

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Lambda.3 check?

Lambda.3 fails when a function is not attached to a VPC — that is, it has no `VpcConfig` with subnets and a security group. The default no-VPC mode runs the function on Lambda-managed networking outside any VPC you control.

Why does Lambda.3 matter?

A no-VPC function cannot be governed with the security groups, route tables and flow logs you apply elsewhere; its network behaviour is invisible to your VPC controls. Attaching it to private subnets brings it inside a boundary you own, where its egress can be scoped and observed.

How do I fix Lambda.3?

  1. List functions and check `VpcConfig` to find those with no VPC attachment.
  2. Attach each function to private subnets and a security group.
  3. Provide egress the function needs — a NAT gateway for public internet, or VPC endpoints for specific AWS services.
  4. Note edge cases: Lambda@Edge cannot be VPC-attached, and some functions legitimately need only public egress.

Remediation script · bash

# Move the highest-impact case first: an RDS instance in a public subnet group.
aws rds create-db-subnet-group \
  --db-subnet-group-name prod-db-subnets-private \
  --db-subnet-group-description "Private subnets only - no IGW route" \
  --subnet-ids subnet-0aa11bb22cc33dd44 subnet-0ee55ff66aa77bb88

aws rds modify-db-instance \
  --db-instance-identifier prod-payments-db \
  --db-subnet-group-name prod-db-subnets-private \
  --apply-immediately

# Provide a private path before moving compute, so it can still reach AWS services.
# A free S3 gateway endpoint, or a narrow interface endpoint instead of a NAT gateway.
aws ec2 create-vpc-endpoint --vpc-id vpc-0a1b2c3d \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.ssm \
  --subnet-ids subnet-0aa11 subnet-0bb22 \
  --security-group-ids sg-0ccfn33 --private-dns-enabled

# Force Redshift bulk traffic through the VPC (confirm an S3 gateway endpoint exists first).
aws redshift modify-cluster \
  --cluster-identifier analytics-prod --enhanced-vpc-routing

Full walkthrough (console steps, edge cases and verification) in the lesson Move resources into private networks (VPC isolation).

Is Lambda.3 a false positive?

Once a function is in a VPC it loses the default internet route and can only reach what the subnet's route table allows. A function that talks to both a private RDS database and public APIs needs a NAT gateway or VPC endpoints, or the external calls will time out after the "quick fix."

Full lesson Move resources into private networks (VPC isolation) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Lambda controls ↗ Check your own account for Lambda.3 →
Part of the learning path Tighten your databases

More Lambda controls

  • Lambda.1 A Lambda resource policy allows public invocation
  • Lambda.2 Lambdas run on deprecated, unpatched runtimes
  • Lambda.5 VPC Lambda functions should span multiple AZs