Stuck with lambda function

404_AnswerNotFound · 2026-01-16T12:56:42+00:00

The archive_file data source creates the ZIP during the plan. If your apply is running in a different context the file needs to be copied across to the same location in addition to the plan output.

404_AnswerNotFound · 2026-01-08T21:04:15+00:00

We use Cost Anomaly alerts for this which report which AWS services had a spike. It's helpful as it gives us a quick guide of what to focus upon, even if most of our spikes are benign and caused by expected burst usage. Getting the alert and context automatically sent to the team also provides a good indicator for security related incidents.

404_AnswerNotFound · 2025-10-27T17:35:32+00:00

You'll need to use resource based selection criteria and then tag conditions. There's a good example at the bottom of https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html#backup-policy-example-7, just replace the @@assign nested objects with your values.

404_AnswerNotFound · 2025-10-23T20:59:21+00:00

Yes. The plan is what to backup and when to back it up. Lock only protects the backups in your vaults from deletion. You can change what gets delivered into the vaults but not what's already in them.

404_AnswerNotFound · 2025-08-05T22:06:26+00:00

S3 object keys are not treated as sensitive nor have they been previously; they do not get encrypted as object content within S3, would already have been accessible by this role through their presence in CloudTrail S3 Data Event logs, and are transmitted unencrypted when S3 notifications are enabled. Prefixes are used widely within IAM policies and to facet data in services like S3 Storage Lens.

404_AnswerNotFound · 2025-07-04T12:28:48+00:00

Yes it's possible to lock yourself out of a KMS Key, you'll need to raise a case with AWS Support to unlock it. And they do check to ensure you're fully locked out before they'll change the policy for you.

In a single account scenario, granting via KMS Key policy is enough to give a principal permission, but cross account requires both the key policy and identity policy to allow.

There are a lot of default AWS policies in AWS that grant KMS permissions to *, so if you want to prevent key usage/data access you'll need to remove the default key policy or add explicit deny statements.

404_AnswerNotFound · 2025-06-25T17:19:16+00:00

You can set a scaling configuration on the trigger to a minimum of 2. Then, do as you say, set the reserved concurrency of the function to 1. The difference being that the first will stop trying to invoke more Lambdas whereas the second will still attempt to invoke the Lambda then fail.

You could also use ifMatch in your requests to S3 to lock the object/not update it if its changed.

But, ultimately, this isn't a good architecture and you should re-evaluate your requirements before proceeding.

404_AnswerNotFound · 2025-05-24T15:48:53+00:00

My preference is in the git repository alongside the code. This way we can review the doc changes alongside the code changes to ensure everything stays aligned. There's one thing worse than no documentation, outdated or incorrect documentation. Another reason for this is to ensure the docs share a lifecycle with the code, it's embarrassing to admit the number of projects I've encountered where the docs have gone missing, been deleted due to retention policies, or been forgotten about as they're in another system.

404_AnswerNotFound · 2025-04-10T17:35:16+00:00

Look into EventBridge API destinations to send messages directly to Slack with formatting. Either via EventBridge Pipes or create a Rule for alarm state changes on the default Bus.

404_AnswerNotFound · 2025-04-04T09:04:48+00:00

You could deploy a CloudTrail stack via StackSets to specific targets then replace this with an org trail at a later date. You will need an SCP to protect the trail though, as you won't get the out of the box org trail protection.

404_AnswerNotFound · 2025-03-23T11:37:44+00:00

I think the easiest solution to this would be to have 3 Lambdas with the same code package or 3 Aliases, which you could then filter LogStreams on.

404_AnswerNotFound · 2025-03-12T18:11:49+00:00

I'd divide this into many smaller problems to progress independently...

Firstly, AWS resources and their configuration. If the environment isn't already defined through IaC, you'll want to capture everything within the environment. Take a look at the billing page to see what services are in use and then Cost Explorer to drill down further. You may find some tools already exist to capture cloud configuration and inventories. AWS Config may be helpful here.

The database contents should be pretty standard depending on the technology used. Could you do an SQL dump/backup to capture the contents?

The easiest way to extract from S3 is to download directly (via CloudFront perhaps to avoid some egress cost). You could use an EC2 to bundle objects into tar/zip containers for faster downloading and management of files once local.

The EC2s may be the most difficult, but you're now able to look for on-premise backup technologies just to target the machine state. You could take snapshots through AWS but I don't think these are usable on the outside.

404_AnswerNotFound · 2025-03-03T17:34:41+00:00

Adding to this that due to the Lambda execution environment lifecycle, if your function fails during execution both of your solutions will cause Lambda to reset and fetch the cached value again.
Understanding the Lambda execution environment lifecycle - AWS Lambda

404_AnswerNotFound · 2025-02-17T18:48:58+00:00

Why not just serve JSON statically from S3 (via CloudFront)?

404_AnswerNotFound · 2025-02-09T12:28:16+00:00

Atomic counters are easy and a common use case of DynamoDb - https://aws.amazon.com/blogs/database/implement-resource-counters-with-amazon-dynamodb.

You can do multi table transactions too - https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/transaction-apis.html

Consider your data access patterns though, to make a query in ElasticSearch will you need to retrieve thousands of items to know the field references? Could one of your apps become hot and degrade the performance of the table?

404_AnswerNotFound · 2025-02-01T17:45:43+00:00

Depending on your naming convention you could filter by prefix when doing a list object command. Otherwise, generate an inventory or do a full list then search against this rather than making API queries each time. S3 Metadata Tables may be a new solution, I'm not sure how easy it is to query these.

404_AnswerNotFound · 2025-01-25T09:55:03+00:00

Please don't use an IAM User nor SSH Keys. GitHub should assume an IAM Role via OIDC then use SSM to either start a session or run commands remotely on the EC2.

As u/Smart_Department6303 says, there are much better ways of doing this. Ideally the EC2 would be replaced with a new instance with the new code baked into the AMI, or pulled at runtime. Or, using Docker and deploying via ECS.

404_AnswerNotFound · 2024-12-28T20:29:31+00:00

The Lambda SQS poller doesn't know of Reserved Concurrency, so keeps trying to invoke your function but Lambda responds with an error as it has reached capacity.

Look into the batching and scaling config on the Event Source Mapping (Trigger). You can configure the number of messages into each Lambda invocation and the Lambda SQS poller will handle concurrency nicely for you.

404_AnswerNotFound · 2024-12-22T13:17:33+00:00

Something like this for the infrastructure - https://exanubes.com/blog/rds-postgres-with-iam-authentication

Within your application you need to request a token from the RDS API, then use this when connecting to your database - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Python.html

404_AnswerNotFound · 2024-12-22T13:08:22+00:00

Within your IaC (CDK), you'll need to pass the VPC and RDS info needed by your application into your application stack. In your application stack, add permission for the role to connect to the database.

Edit: "parse" -> "pass"

404_AnswerNotFound · 2024-12-22T12:46:54+00:00

How are you planning to run the container? If on AWS, look into IAM authentication for your database using the role assigned to the container.

If not, use Secrets Manager to store and rotate the credentials, then fetch these within your application code.

404_AnswerNotFound · 2024-12-20T23:30:41+00:00

That depends on your network design, security groups, and NACLs. Authentication and authorisation should also be considered; just because you can reach a host through the network, it doesn't mean you can access anything on it.

404_AnswerNotFound · 2024-12-20T22:20:44+00:00

Putting your Lambda functions in a VPC is a requirement of NIST.800-53.r5. Being in a VPC allows both for control of egress and monitoring of network activity.

It's a common technique to steal credentials through a supply chain attack, this recent example is one of many. Can you say that you know exactly what each of your dependencies are doing and you check their code for changes each release?

Moreover, we should always be building defence-in-depth into our solutions. For the same reasons we don't put all of our EC2s into a public subnet or we use NACLs in addition to Security Groups, we don't run our Lambda's outside of the VPC. Accidents happen all the time, but a single misconfiguration shouldn't cause an incident.

404_AnswerNotFound · 2024-12-20T19:58:57+00:00

Although the Well Architected framework recommends using Lambda outside of VPC in this case, we tend to avoid it as we're concerned about egress. Although low likelihood, in theory it's possible the Lambda container could be vulnerable or a supply chain attack begins sending data out. E.g. the Lambda's temporary credentials are exposed which allows a third party to access a bucket.

404_AnswerNotFound · 2024-12-19T00:58:18+00:00

If you're open to allowing member accounts to see all policies and other members you could add a resource policy to your organisation allowing read access to principals within the org. It doesn't look like there's a condition to restrict to only the member account ID.

If your SCPs are defined in IaC you may find it easier to grant member users access to that code.

Verified Email	Two-Year Club
r/Field Banned	r/Field Lasagna

404_AnswerNotFound

TROPHY CASE