如何编辑 AWS EC2 实例的安全组以仅允许访问 lambda 函数
How to edit AWS EC2 instance's security groups to allow access to a lambda function only
我 运行 遇到与 AWS lambda 相关的安全问题,但不确定解决此问题的正确方法是什么。
考虑一个 EC2 实例 A 访问另一个 EC2 实例 B 上的数据库。如果我想将实例 B 上的数据库的可访问性限制为仅实例 A,我将修改安全组并将自定义 TCP 规则添加到只允许访问实例 A 的 public IP。因此,通过这种方式,AWS 将处理所有事情,数据库服务器将无法从任何其他 IP 地址访问。
现在让我们用 lambda 函数替换实例 A。由于不再是实例,因此没有确定的IP地址。那么,如何限制对 lambda 函数的访问并阻止任何其他流量?
相信下面link会为你讲解lambda权限模型
http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
让 Lambda 作业确定其 IP,并动态更新实例 B 安全组,然后在完成后重置安全组。
在支持 Lambda running within a VPC 之前,这是唯一的选择。已在今年晚些时候宣布对此的支持。以下引用来自上面引用的 link。
Many AWS customers host microservices within a Amazon Virtual Private
Cloud and would like to be able to access them from their Lambda
functions. Perhaps they run a MongoDB cluster with lookup data, or
want to use Amazon ElastiCache as a stateful store for Lambda
functions, but don’t want to expose these resources to the Internet.
You will soon be able to access resources of this type by setting up
one or more security groups within the target VPC, configure them to
accept inbound traffic from Lambda, and attach them to the target VPC
subnets. Then you will need to specify the VPC, the subnets, and the
security groups when your create your Lambda function (you can also
add them to an existing function). You’ll also need to give your
function permission (via its IAM role) to access a couple of EC2
functions related to Elastic Networking.
This feature will be available later this year. I’ll have more info
(and a walk-through) when we launch it.
我 运行 遇到与 AWS lambda 相关的安全问题,但不确定解决此问题的正确方法是什么。
考虑一个 EC2 实例 A 访问另一个 EC2 实例 B 上的数据库。如果我想将实例 B 上的数据库的可访问性限制为仅实例 A,我将修改安全组并将自定义 TCP 规则添加到只允许访问实例 A 的 public IP。因此,通过这种方式,AWS 将处理所有事情,数据库服务器将无法从任何其他 IP 地址访问。
现在让我们用 lambda 函数替换实例 A。由于不再是实例,因此没有确定的IP地址。那么,如何限制对 lambda 函数的访问并阻止任何其他流量?
相信下面link会为你讲解lambda权限模型
http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
让 Lambda 作业确定其 IP,并动态更新实例 B 安全组,然后在完成后重置安全组。
在支持 Lambda running within a VPC 之前,这是唯一的选择。已在今年晚些时候宣布对此的支持。以下引用来自上面引用的 link。
Many AWS customers host microservices within a Amazon Virtual Private Cloud and would like to be able to access them from their Lambda functions. Perhaps they run a MongoDB cluster with lookup data, or want to use Amazon ElastiCache as a stateful store for Lambda functions, but don’t want to expose these resources to the Internet.
You will soon be able to access resources of this type by setting up one or more security groups within the target VPC, configure them to accept inbound traffic from Lambda, and attach them to the target VPC subnets. Then you will need to specify the VPC, the subnets, and the security groups when your create your Lambda function (you can also add them to an existing function). You’ll also need to give your function permission (via its IAM role) to access a couple of EC2 functions related to Elastic Networking.
This feature will be available later this year. I’ll have more info (and a walk-through) when we launch it.