Lambda function without dead-letter queue

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Lambda function without dead-letter queue

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: c2eae442-d3ba-4cb1-84ca-1db4f80eae3d

Cloud Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Insecure Configurations

Learn More

Provider Reference

Description

Lambda functions should be configured with a dead-letter queue (DLQ) to capture failed asynchronous invocations and prevent message loss or silent failures. In AWS CloudFormation, AWS::Lambda::Function resources should define Properties.DeadLetterConfig.TargetArn and set it to a valid destination ARN (typically an Amazon SQS queue or Amazon SNS topic). Resources missing DeadLetterConfig or where DeadLetterConfig.TargetArn is undefined or null will be flagged.

Secure configuration example (CloudFormation YAML):

MyDLQ:
  Type: AWS::SQS::Queue
  Properties:
    QueueName: my-dlq

MyFunction:
  Type: AWS::Lambda::Function
  Properties:
    FunctionName: my-function
    Runtime: nodejs14.x
    Handler: index.handler
    Role: arn:aws:iam::123456789012:role/lambda-role
    DeadLetterConfig:
      TargetArn: !GetAtt MyDLQ.Arn

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Resources:
  Function3:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.handler
      Role: arn:aws:iam::123456789012:role/lambda-role
      Code:
        S3Bucket: my-bucket
        S3Key: function.zip
      Runtime: nodejs12.x
      Timeout: 5
      TracingConfig:
        Mode: Active
      VpcConfig:
        SecurityGroupIds:
          - sg-085912345678492fb
        SubnetIds:
          - subnet-071f712345678e7c8
          - subnet-07fd123456788a036
      Tags:
        - Key: Description
          Value: VPC Function
        - Key: Type
          Value: AWS Lambda Function
      DeadLetterConfig:
        TargetArn: arn:aws:sqs:us-east-1:2324243535:aaa

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Resources:
  Function2:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.handler
      Role: arn:aws:iam::123456789012:role/lambda-role
      Code:
        S3Bucket: my-bucket
        S3Key: function.zip
      Runtime: nodejs12.x
      Timeout: 5
      TracingConfig:
        Mode: Active
      VpcConfig:
        SecurityGroupIds:
          - sg-085912345678492fb
        SubnetIds:
          - subnet-071f712345678e7c8
          - subnet-07fd123456788a036
      Tags:
        - Key: Description
          Value: VPC Function
        - Key: Type
          Value: AWS Lambda Function
      DeadLetterConfig:

AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Resources:
  Function:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.handler
      Role: arn:aws:iam::123456789012:role/lambda-role
      Code:
        S3Bucket: my-bucket
        S3Key: function.zip
      Runtime: nodejs12.x
      Timeout: 5
      TracingConfig:
        Mode: Active
      VpcConfig:
        SecurityGroupIds:
          - sg-085912345678492fb
        SubnetIds:
          - subnet-071f712345678e7c8
          - subnet-07fd123456788a036
      Tags:
        - Key: Description
          Value: VPC Function
        - Key: Type
          Value: AWS Lambda Function