Control: AWS > PCI v3.2.1 > Lambda > 2 Lambda functions should be in a VPC

This control checks whether a Lambda function is in a VPC.

It does not evaluate the VPC subnet routing configuration to determine public reachability.

Note that if Lambda@Edge is found in the account, then this control generates failed findings. To prevent these findings, you can disable this control.

Remediation

To configure a function to connect to private subnets in a virtual private cloud (VPC) in your account

Open the AWS Lambda console.
Navigate to Functions and then select your Lambda function.
Scroll to Network and then select a VPC with the connectivity requirements of the function.
To run your functions in high availability mode, Security Hub recommends that you choose at least two subnets.
Choose at least one security group that has the connectivity requirements of the function.
Choose Save.

PCI requirement(s): 1.2.1, 1.3.1, 1.3.2, 1.3.4

Resource Types

This control targets the following resource types:

AWS > Lambda > Function

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/lambdaFunctionInVpc

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/lambdaFunctionInVpc") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/lambdaFunctionInVpc'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/lambdaFunctionInVpc"