I have a scenario where I’m using an Amazon Cognito pre-token generation trigger to call an AWS Lambda function. The Lambda function is placed within a private subnet for security reasons. However, I’m having trouble configuring the security group for the Lambda function to allow Amazon Cognito to access it. Specifically, what is CIDR for cognito?
What is the recommended approach to configure the security group for the Lambda function to achieve this while maintaining a high level of security?
2
Answers
If you want to get the CIDR ranges for any AWS service, then you can download that from the AWS documentation and run
jq
queries to obtain the service that you require:https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html
https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/
Security groups for Lambda functions only affect outbound connections from the Lambda functions. Lambda functions don’t sit there idle with an open network port waiting for incoming traffic. When a Lambda function is invoked, the thing invoking the Lambda function actually calls the public AWS API, and requests that AWS start a new invocation of the function.
In your case, AWS Cognito is just going to talk to the public AWS API and request that a new invocation of your function is created, with a given payload. There is never a direct network connection established between Cognito and your Lambda function. The inbound rules of the Lambda function’s security group never come into play at all.
You restrict access to Lambda functions via the Lambda function’s resource policy. To restrict it so that your API Gateway can call it, you would assign a resource policy to the function that only allows your API Gateway resource to invoke it.