steampipe plugin install aws

Table: aws_lambda_function - Query AWS Lambda Function using SQL

The AWS Lambda Function is a compute service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time you consume - there is no charge when your code is not running.

Table Usage Guide

The aws_lambda_function table in Steampipe provides you with information about AWS Lambda Functions. This table allows you, as a DevOps engineer, to query function-specific details, including the function's runtime, code size, timeout, and associated tags. You can utilize this table to gather insights on functions, such as the function's configuration, handler, last modified date, and more. The schema outlines the various attributes of the AWS Lambda Function for you, including the function name, ARN, description, and associated environment variables.

Examples

Basic Info

Explore which AWS Lambda functions are in use and determine if they have a Key Management Service (KMS) key associated with them, which is essential for managing cryptographic keys. This is beneficial for understanding your security configuration and ensuring that sensitive data is properly encrypted.

select
name,
arn,
handler,
kms_key_arn
from
aws_lambda_function;
select
name,
arn,
handler,
kms_key_arn
from
aws_lambda_function;

List of lambda functions which are not encrypted with CMK

Identify instances where AWS Lambda functions are lacking encryption with a Customer Master Key (CMK), which is crucial for enhancing data security and complying with regulatory standards.

select
name,
kms_key_arn
from
aws_lambda_function
where
kms_key_arn is null;
select
name,
kms_key_arn
from
aws_lambda_function
where
kms_key_arn is null;

Count of lambda functions by runtime engines

Discover the distribution of different runtime engines used in your AWS Lambda functions. This helps to understand the prevalence of different programming languages in your serverless architecture.

select
runtime,
count(*)
from
aws_lambda_function
group by
runtime;
select
runtime,
count(*)
from
aws_lambda_function
group by
runtime;

List of lambda function whose retention period is less than 30 days

Determine the areas in which AWS Lambda functions have a retention period of less than 30 days. This is beneficial for identifying functions that may need their retention periods adjusted to ensure data is not lost prematurely.

select
fn.name,
lg.name,
lg.retention_in_days
from
aws_lambda_function as fn
inner join aws_cloudwatch_log_group as lg on (
(lg.name = '/aws/lambda/')
or (lg.name = fn.name)
)
where
lg.retention_in_days < 30;
select
fn.name,
lg.name,
lg.retention_in_days
from
aws_lambda_function as fn
inner join aws_cloudwatch_log_group as lg on (
(lg.name = '/aws/lambda/')
or (lg.name = fn.name)
)
where
lg.retention_in_days < 30;

Availability zone count for each VPC lambda function

Determine the number of availability zones for each AWS Lambda function within a Virtual Private Cloud (VPC). This can help in understanding the distribution of your Lambda functions across different zones, which is crucial for optimizing performance and managing costs.

select
fn.name,
fn.region,
count (availability_zone) as zone_count
from
aws_lambda_function as fn
cross join jsonb_array_elements_text(vpc_subnet_ids) as vpc_subnet
join aws_vpc_subnet as sub on sub.subnet_id = vpc_subnet
group by
fn.name,
fn.region
order by
zone_count;
select
fn.name,
fn.region,
count(sub.availability_zone) as zone_count
from
aws_lambda_function as fn,
json_each(fn.vpc_subnet_ids) as vpc_subnet
join aws_vpc_subnet as sub on sub.subnet_id = json_extract(vpc_subnet.value, '$')
group by
fn.name,
fn.region
order by
zone_count;

List all the actions allowed by managed policies for a Lambda execution role

Explore which actions are permitted by managed policies for a specific Lambda execution role. This is useful for assessing the level of access a role has, and can help identify any potential security risks or areas where permissions may need to be adjusted.

select
f.name,
f.role,
a.action,
a.access_level,
a.description
from
aws_lambda_function as f,
aws_iam_role as r,
jsonb_array_elements_text(r.attached_policy_arns) as pol_arn,
aws_iam_policy as p,
jsonb_array_elements(p.policy_std -> 'Statement') as stmt,
jsonb_array_elements_text(stmt -> 'Action') as action_glob,
glob(action_glob) as action_regex
join aws_iam_action a ON a.action LIKE action_regex
where
f.role = r.arn
and pol_arn = p.arn
and stmt ->> 'Effect' = 'Allow'
and f.name = 'hellopython';
select
f.name,
f.role,
a.action,
a.access_level,
a.description
from
aws_lambda_function as f
join aws_iam_role as r on f.role = r.arn
join aws_iam_policy as p on p.arn in (
select
json_extract(r.attached_policy_arns, '$[*]')
)
join aws_iam_action as a on a.action in (
select
json_extract(
json_extract(p.policy_std, '$.Statement[*].Action'),
'$[*]'
)
)
where
json_extract(p.policy_std, '$.Statement[*].Effect') = 'Allow'
and f.name = 'hellopython';

List functions not configured with a dead-letter queue

Determine the areas in which AWS Lambda functions are potentially at risk due to the absence of a configured dead-letter queue, which is crucial for handling failed asynchronous invocations and preventing data loss.

select
arn,
dead_letter_config_target_arn
from
aws_lambda_function
where
dead_letter_config_target_arn is null;
select
arn,
dead_letter_config_target_arn
from
aws_lambda_function
where
dead_letter_config_target_arn is null;

List runtime settings for each function

Discover the segments that have varied runtime settings for each function in your AWS Lambda service. This can help in understanding how different functions are configured and optimize them for better performance.

select
name,
runtime,
handler,
architectures
from
aws_lambda_function;
select
name,
runtime,
handler,
architectures
from
aws_lambda_function;

List URL configuration details for each function

Review the configuration for each AWS Lambda function to gain insights into their URL settings. This can help in understanding the routing and request handling setup of your serverless applications.

select
name,
arn,
jsonb_pretty(url_config) as url_config
from
aws_lambda_function;
select
name,
arn,
url_config
from
aws_lambda_function;

List functions that have tracing disabled

Analyze the settings to understand which AWS Lambda functions have their tracing feature disabled. This can be useful in identifying potential gaps in the monitoring and debugging process of your serverless applications.

select
name,
arn,
jsonb_pretty(tracing_config) as tracing_config
from
aws_lambda_function
where
tracing_config ->> 'Mode' = 'PassThrough';
select
name,
arn,
tracing_config
from
aws_lambda_function
where
json_extract(tracing_config, '$.Mode') = 'PassThrough';

Schema for aws_lambda_function

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
architecturesjsonbThe instruction set architecture that the function supports. Architecture is a string array with one of the valid values.
arntextThe function's Amazon Resource Name (ARN).
codejsonbThe deployment package of the function or version.
code_sha_256textThe SHA256 hash of the function's deployment package.
code_sizebigintThe size of the function's deployment package, in bytes.
dead_letter_config_target_arntextThe Amazon Resource Name (ARN) of an Amazon SQS queue or Amazon SNS topic.
descriptiontextThe function's description.
environment_variablesjsonbThe environment variables that are accessible from function code during execution.
file_system_configsjsonbConnection settings for an Amazon EFS file system.
handlertextThe function that Lambda calls to begin executing your function.
kms_key_arntextThe KMS key that's used to encrypt the function's environment variables. This key is only returned if you've configured a customer managed CMK.
last_modifiedtimestamp with time zoneThe date and time that the function was last updated.
last_update_statustextThe status of the last update that was performed on the function.
last_update_status_reasontextThe reason for the last update that was performed on the function.
last_update_status_reason_codetextThe reason code for the last update that was performed on the function.
layersjsonb
master_arntextFor Lambda@Edge functions, the ARN of the master function.
memory_sizebigintThe memory that's allocated to the function.
nametext=The name of the function.
package_typetextThe type of deployment package.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbThe resource-based iam policy of Lambda function.
policy_stdjsonbContains the policy in a canonical form for easier searching.
regiontextThe AWS Region in which the resource is located.
reserved_concurrent_executionsbigintThe number of concurrent executions that are reserved for this function.
revision_idtextThe latest updated revision of the function or alias.
roletextThe function's execution role.
runtimetextThe runtime environment for the Lambda function.
snap_startjsonbSet ApplyOn to PublishedVersions to create a snapshot of the initialized execution environment when you publish a function version.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statetextThe current state of the function.
state_reasontextThe reason for the function's current state.
state_reason_codetextThe reason code for the function's current state.
tagsjsonbA map of tags for the resource.
timeouttextThe amount of time in seconds that Lambda allows a function to run before stopping it.
titletextTitle of the resource.
tracing_configjsonbThe function's X-Ray tracing configuration.
url_configjsonbThe function URL configuration details of the function.
versiontextThe version of the Lambda function.
vpc_idtextThe VPC ID that is attached to Lambda function.
vpc_security_group_idsjsonbA list of VPC security groups IDs attached to Lambda function.
vpc_subnet_idsjsonbA list of VPC subnet IDs attached to Lambda function.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_lambda_function