Unable to Fetch the Details of Private EC2 Instance using Lambda Function

Question

Hi,

As I'm trying to configure the system to download the object on Private EC2 Instance, whenever the object are uploaded to S3 Bucket Automatically.

I have done the VPC Configuration on Lambda Function and Attach the role of "AWSLambdaVPCAccessExecutionRole" and Security Group.

I'm able to trigger the Event from S3 Bucket to Lambda Function, but from Lambda Function to Private EC2 Instance not able connect it.

Kindly Advice the how should I fetch the details of private ec2 instance using lambda boto3

Thanks in Advance.

Answer

Hi,

1. Go to **Lambda console**.
2. Select the function that you want to use to connect to private instance.
3. Choose **Configuration** and then choose **VPC**.
4. Under **VPC**, click Edit.
5. Choose a VPC, subnets, and security groups.
6. Add at least two private subnets. Attach security groups and make sure that security groups allow required ports and protocols based on your requirement.
7. Choose **Save**.

Now the next thing is EC2. At EC2 instance side, make sure one of the security group attached the EC2 instance can receive traffic(Inbound rule) from the SG assigned to the Lambda function. Also, make sure SG assigned to the lambda function can make outbound calls to EC2( can usually be open to everything)

Make sure you add appropriate rules in the security group  at both sides to allow traffic.

Please refer [Configuring a Lambda function to access resources in a VPC](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html)

Answer

Please check your lambda configuration as mentioned in below link
https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html

Answer

What about having Lambda run Systems Manager Run Command so that files are copied from S3, such as s3 cp?  
Attach an IAM role to the EC2 with the AmazonSSMMManagedInstanceCore set in the IAM policy.  
If the EC2 is located on a private subnet, configure it to communicate with Systems Manager using a NAT gateway or VPC endpoint.  
Create a function to execute SSM RunCommand in Lambda.  
Lambda is executed when a file is created in S3.  
The following document is an example for Windows.  
https://repost.aws/questions/QU3rKJmmtRQ_aFX61wa_VnJw/lambda%E3%81%8B%E3%82%89-ec-2-run-command%E3%82%92%E5%AE%9F%E8%A1%8C%E3%81%99%E3%82%8B%E6%96%B9%E6%B3%95%EF%BC%88-windows%EF%BC%89

In the case of Linux, the following code would do.  
If this can be used successfully, there is no need to connect Lambda to the VPC.  
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ssm/client/send_command.html  
```
import boto3

ssm = boto3.client('ssm')

def lambda_handler(event, context):
    bucket = event['Records'][0]['s3']['bucket']['name']
    key = event['Records'][0]['s3']['object']['key']
    response = ssm.send_command(
        InstanceIds=['instance-id'],
        DocumentName='AWS-RunShellScript',
        Parameters={
            'commands': [
                f'aws s3 cp s3://{bucket}/{key} /path/file_name'
            ],
            'executionTimeout': ['3600'],
        }
    )
```

Unable to Fetch the Details of Private EC2 Instance using Lambda Function

관련 콘텐츠