Publishing to SNS from Lambda in VPC

2
votes

I am trying to publish to SNS from a Lambda in a VPC but my Lambda hangs and eventually times out after a minute or so.

Based on Securing messages published to Amazon SNS with AWS PrivateLink | AWS Security Blog and similar articles I have created a VPC endpoint like so:

      Type: AWS::EC2::VPCEndpoint
      Properties:
        PrivateDnsEnabled: true
        SecurityGroupIds:
          - security-group-id
        ServiceName: com.amazonaws.ap-southeast-2.sns
        SubnetIds:
          - subnet1-id
          - subnet2-id
        VpcEndpointType: Interface
        VpcId: vpc-blahblah

This still results in my Lambda hanging when publishing to SNS. How to publish to SNS from Lambda within VPC using VPC Endpoint? recommends a AWS::EC2::SecurityGroupIngress which allows all TCP traffic from the VPC's CIDR as well but that doesn't work either.

My Lambda and the VPC endpoint are in the same security group and there are ingress rules to only allow incoming connections from MySQL from some places and all traffic from the VPC as well (as mentioned previously).

What am I missing to make my Lambda be able to publish to an SNS topic?

1
amazon-web-servicesaws-lambdaamazon-snsamazon-vpc
What are SGs, for the endpoint and lambda.Marcin
I assume that the lambda has been set to work with vpc, e.g. it has correct execution roleMarcin
Is making any network setting necessary for using SNS from a VPC or No VPC Lambda? I thought as long as you have the IAM permission to SNS, the Lambda should be able to work with SNS service I guess SNS IAM permission for the calling Lambda should suffice, if not it needs VPC endpoint for SNS enabled to the Subnet in which Lambda is deployedAni
Lambda creates network interface in your vpc. Thus it needs execution role for that before it can do anything in the vpc. In the link I posted earlier, the role is explained.Marcin
yea the Lambda execution role permission is requiredAni

1 Answers

1
votes

To reproduce your situation, I created:

  • An Amazon VPC (with one subnet and no Internet Gateway)
  • A VPC Endpoint for Amazon SNS, with:
    • An access policy permitting all inbound traffic
    • A security group permitting all inbound access from the CIDR of the VPC
  • An Amazon SNS topic with a SMS subscription to my phone
  • An IAM Role for use by the Lambda function that permits usage of Amazon SNS
  • An AWS Lambda function:
    • With the above IAM Role
    • With a security group permitting all outbound traffic
    • Attached to the private subnet in the VPC

My Lambda function is:

def lambda_handler(event, context):
    # Send message to SNS
    MY_SNS_TOPIC_ARN = 'arn:aws:sns:ap-southeast-2:111111111111:foo'
    sns_client = boto3.client('sns')
    sns_client.publish(
        TopicArn = MY_SNS_TOPIC_ARN,
        Subject = 'From lambda',
        Message = 'Hello'
    )

I then tested it by manually running the Lambda function from the Lambda console.

I successfully received the test message on my phone.

Therefore, I suggest that you compare your configuration to the above and try to spot any differences.

I notice that you are deploying via CloudFormation, so you could either launch the stack and then compare your resources to what is described, or you might try manually creating the above to confirm that it is working for you, and then compare those resources against your CloudFormation template.