Lambda function should have access to VPC resources in configuration

lambda

Description

This rule identifies Lambda functions that are not configured with VPC access. Configuring a Lambda function within a VPC enforces network segmentation and is a best practice for functions that interact with private resources such as databases, internal APIs, or ElastiCache clusters. Not all functions require VPC access, so functions flagged by this rule should be reviewed to determine whether VPC configuration is appropriate for their use case. Datadog-managed functions (Forwarder, Agentless Scanner, integration Lambdas) are automatically excluded.

Note: Attaching a Lambda to a VPC without a properly configured NAT gateway and route table will break outbound internet access. Ensure the VPC networking supports the function’s connectivity needs before making changes.

Remediation

Review the flagged Lambda function to determine whether it requires access to VPC-private resources. If it does, configure VPC access following the Configuring VPC access documentation. If the function only requires internet or AWS API access, no action is needed and the finding can be accepted.