Unable to publish to SNS Topic from Lambda inside private subnet of VPC

Question

I have a lambda function, which requires access to EC2 running on the private subnet of my VPC. So I associated the lambda with private subnet of the VPC. My lambda also need to publish to an SNS Topic. I have even configured SNS VPC Interface Endpoint for SNS access. But I cant publish to an SNS from this lambda. What am I doing wrong? Here is my configuration.

resource "aws_vpc_endpoint" "sns" {
  vpc_id              = VPC_ID
  service_name        = "com.amazonaws.ca-central-1.sns"
  vpc_endpoint_type   = "Interface"
  private_dns_enabled = true
  subnet_ids = [
    PRIVATE_SUBNET_ID
  ]
  security_group_ids = [
    SECURITY_GROUP_FOR_PRIVATE_EC2_ID
  ]
}

resource "aws_eip" "nat_eip" {
  domain = "vpc"
  tags = {
    Name = "TAG"
  }

  depends_on = [aws_internet_gateway.db_proxy]
}

resource "aws_nat_gateway" "db_proxy" {
  allocation_id = aws_eip.nat_eip.id
  subnet_id     = PUBLIC_SUBNET_ID

  tags = {
    Name = "TAG"
  }

  depends_on = [aws_internet_gateway.db_proxy]
}

# Route Table associated with Private Subnet
resource "aws_route_table" "db_proxy_private" {
  vpc_id = VPC_ID

  route {
    cidr_block     = "0.0.0.0/0"
    nat_gateway_id = aws_nat_gateway.db_proxy.id
  }

  tags = {
    Name = "TAG"
  }
}

# Security group associated with Private EC2.
resource "aws_security_group" "db_proxy_sg_private" {
  name        = NAME
  description = "Managed by Terraform"
  vpc_id      = VPC_ID

  # To Allow SSH Transport
  ingress {
    from_port   = 22
    protocol    = "tcp"
    to_port     = 22
    cidr_blocks = ["10.0.1.0/24"] // Public Subnet CIDR
    description = "Whitelisted SSH IPs"
  }

  # To Allow Port 80 Transport
  ingress {
    from_port   = 80
    protocol    = "tcp"
    to_port     = 80
    cidr_blocks = ["10.0.1.0/24"] // Public Subnet CIDR
    description = "Outgoing HTTP transport"
  }

  # Open port 8000 for external access
  ingress {
    from_port   = 8000
    protocol    = "tcp"
    to_port     = 8000
    cidr_blocks = ["10.0.1.0/24"] // Public Subnet CIDR
    description = "EC2 HTTP port"
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }
}

Assuming Lambda has been successfully associated with private subnet and private security group. Lambda config not attached here.

My SNS call times out when lambda is associated with private subnet. When dissociated, it works as expected. Im assuming something wrong with configuring SNS VPC Interface Endpoint.

Answer 1

It seems, Lambda function is missing IAM permissions. A Lambda function in VPC needs the following permissions to work properly.

Execution role permissions

• ec2:CreateNetworkInterface
• ec2:DescribeNetworkInterfaces
• ec2:DeleteNetworkInterface

These permissions are included in the AWS managed policy AWSLambdaVPCAccessExecutionRole.

So, make sure the IAM Role for the Lambda function has this managed policy attached.