Lambda.5: VPC Lambda functions should span multiple AZs

What does AWS Security Hub Lambda.5 check?

Lambda.5 fails when a VPC-attached function's `VpcConfig` references subnets in fewer than two Availability Zones, leaving the function without multi-AZ resilience.

Why does Lambda.5 matter?

A function not in a VPC gets multi-AZ resilience for free, but attaching it to a VPC strips that away — it can only run in the AZs of the subnets you give it. Wire it to a single subnet (the one a copy-pasted module happened to reference) and a single AZ networking event takes the function down with 5xx errors for the whole outage, while sibling functions placed across zones ride it out.

How do I fix Lambda.5?

1. Audit functions and read each `VpcConfig` to find those whose subnets do not span at least two AZs.
2. Update the function configuration to add subnet IDs in additional Availability Zones — a one-command fix.
3. Confirm Lambda can place its ENIs in each subnet (capacity and security-group reachability).
4. Adopt an IaC pattern that requires multi-AZ subnets so single-AZ functions cannot be deployed in the first place.

# Fix the highest-impact data stores first: enable Multi-AZ on production databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?MultiAZ==`false` && DBClusterIdentifier==null].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --multi-az --apply-immediately
  echo "$db: standby being provisioned in a second AZ"
done

# Span a stateless compute fleet across three AZs, then mirror the set on its load balancer.
aws autoscaling update-auto-scaling-group --auto-scaling-group-name web-tier-asg \
  --vpc-zone-identifier "subnet-0aaa1,subnet-0bbb2,subnet-0ccc3"
aws elbv2 set-subnets --load-balancer-arn "$ALB_ARN" \
  --subnets subnet-0aaa1 subnet-0bbb2 subnet-0ccc3