我遇到了与 AWS lambda 相关的安全问题,并且不确定解决此问题的正确方法是什么。
考虑一个 EC2 实例 A 访问另一个 EC2 实例 B 上的数据库。如果我想将实例 B 上的数据库的访问权限限制为仅实例 A,我将修改安全组并添加自定义 TCP 规则以允许访问仅实例 A 的公共(public) IP。因此,这样,AWS 将处理一切,并且数据库服务器将无法从任何其他 IP 地址访问。
现在让我们用 lambda 函数替换实例 A。由于它不再是实例,因此没有明确的 IP 地址。那么,如何限制仅访问 lambda 函数并阻止任何其他流量?
最佳答案
让 Lambda 作业确定其 IP,并动态更新实例 B 安全组,然后在完成后重置安全组。
直到支持 Lambda running within a VPC这是唯一的选择。对此的支持已于今年晚些时候宣布。以下引用来自上面引用的链接。
Many AWS customers host microservices within a Amazon Virtual Private Cloud and would like to be able to access them from their Lambda functions. Perhaps they run a MongoDB cluster with lookup data, or want to use Amazon ElastiCache as a stateful store for Lambda functions, but don’t want to expose these resources to the Internet.
You will soon be able to access resources of this type by setting up one or more security groups within the target VPC, configure them to accept inbound traffic from Lambda, and attach them to the target VPC subnets. Then you will need to specify the VPC, the subnets, and the security groups when your create your Lambda function (you can also add them to an existing function). You’ll also need to give your function permission (via its IAM role) to access a couple of EC2 functions related to Elastic Networking.
This feature will be available later this year. I’ll have more info (and a walk-through) when we launch it.
关于aws-lambda - 如何编辑AWS EC2实例的安全组以仅允许访问lambda函数,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35266254/