Steampipe unbundled →
Steampipe Hub 
Hub
Plugins
turbot/aws
Overview
483Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_lambda_function - Query AWS Lambda Function using SQL

The AWS Lambda Function is a compute service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time you consume - there is no charge when your code is not running.

Table Usage Guide

The aws_lambda_function table in Steampipe provides you with information about AWS Lambda Functions. This table allows you, as a DevOps engineer, to query function-specific details, including the function's runtime, code size, timeout, and associated tags. You can utilize this table to gather insights on functions, such as the function's configuration, handler, last modified date, and more. The schema outlines the various attributes of the AWS Lambda Function for you, including the function name, ARN, description, and associated environment variables.

Examples

Basic Info

Explore which AWS Lambda functions are in use and determine if they have a Key Management Service (KMS) key associated with them, which is essential for managing cryptographic keys. This is beneficial for understanding your security configuration and ensuring that sensitive data is properly encrypted.

select
  name,
  arn,
  handler,
  kms_key_arn
from
  aws_lambda_function;
select
  name,
  arn,
  handler,
  kms_key_arn
from
  aws_lambda_function;

List of lambda functions which are not encrypted with CMK

Identify instances where AWS Lambda functions are lacking encryption with a Customer Master Key (CMK), which is crucial for enhancing data security and complying with regulatory standards.

select
  name,
  kms_key_arn
from
  aws_lambda_function
where
  kms_key_arn is null;
select
  name,
  kms_key_arn
from
  aws_lambda_function
where
  kms_key_arn is null;

Count of lambda functions by runtime engines

Discover the distribution of different runtime engines used in your AWS Lambda functions. This helps to understand the prevalence of different programming languages in your serverless architecture.

select
  runtime,
  count(*)
from
  aws_lambda_function
group by
  runtime;
select
  runtime,
  count(*)
from
  aws_lambda_function
group by
  runtime;

List of lambda function whose retention period is less than 30 days

Determine the areas in which AWS Lambda functions have a retention period of less than 30 days. This is beneficial for identifying functions that may need their retention periods adjusted to ensure data is not lost prematurely.

select
  fn.name,
  lg.name,
  lg.retention_in_days
from
  aws_lambda_function as fn
  inner join aws_cloudwatch_log_group as lg on (
    (lg.name = '/aws/lambda/')
    or (lg.name = fn.name)
  )
where
  lg.retention_in_days < 30;
select
  fn.name,
  lg.name,
  lg.retention_in_days
from
  aws_lambda_function as fn
  inner join aws_cloudwatch_log_group as lg on (
    (lg.name = '/aws/lambda/')
    or (lg.name = fn.name)
  )
where
  lg.retention_in_days < 30;

Availability zone count for each VPC lambda function

Determine the number of availability zones for each AWS Lambda function within a Virtual Private Cloud (VPC). This can help in understanding the distribution of your Lambda functions across different zones, which is crucial for optimizing performance and managing costs.

select
  fn.name,
  fn.region,
  count (availability_zone) as zone_count
from
  aws_lambda_function as fn
  cross join jsonb_array_elements_text(vpc_subnet_ids) as vpc_subnet
  join aws_vpc_subnet as sub on sub.subnet_id = vpc_subnet
group by
  fn.name,
  fn.region
order by
  zone_count;
select
  fn.name,
  fn.region,
  count(sub.availability_zone) as zone_count
from
  aws_lambda_function as fn,
  json_each(fn.vpc_subnet_ids) as vpc_subnet
  join aws_vpc_subnet as sub on sub.subnet_id = json_extract(vpc_subnet.value, '$')
group by
  fn.name,
  fn.region
order by
  zone_count;

List all the actions allowed by managed policies for a Lambda execution role

Explore which actions are permitted by managed policies for a specific Lambda execution role. This is useful for assessing the level of access a role has, and can help identify any potential security risks or areas where permissions may need to be adjusted.

select
  f.name,
  f.role,
  a.action,
  a.access_level,
  a.description
from
  aws_lambda_function as f,
  aws_iam_role as r,
  jsonb_array_elements_text(r.attached_policy_arns) as pol_arn,
  aws_iam_policy as p,
  jsonb_array_elements(p.policy_std -> 'Statement') as stmt,
  jsonb_array_elements_text(stmt -> 'Action') as action_glob,
  glob(action_glob) as action_regex
  join aws_iam_action a ON a.action LIKE action_regex
where
  f.role = r.arn
  and pol_arn = p.arn
  and stmt ->> 'Effect' = 'Allow'
  and f.name = 'hellopython';
select
  f.name,
  f.role,
  a.action,
  a.access_level,
  a.description
from
  aws_lambda_function as f
  join aws_iam_role as r on f.role = r.arn
  join aws_iam_policy as p on p.arn in (
    select
      json_extract(r.attached_policy_arns, '$[*]')
  )
  join aws_iam_action as a on a.action in (
    select
      json_extract(
        json_extract(p.policy_std, '$.Statement[*].Action'),
        '$[*]'
      )
  )
where
  json_extract(p.policy_std, '$.Statement[*].Effect') = 'Allow'
  and f.name = 'hellopython';

List functions not configured with a dead-letter queue

Determine the areas in which AWS Lambda functions are potentially at risk due to the absence of a configured dead-letter queue, which is crucial for handling failed asynchronous invocations and preventing data loss.

select
  arn,
  dead_letter_config_target_arn
from
  aws_lambda_function
where
  dead_letter_config_target_arn is null;
select
  arn,
  dead_letter_config_target_arn
from
  aws_lambda_function
where
  dead_letter_config_target_arn is null;

List runtime settings for each function

Discover the segments that have varied runtime settings for each function in your AWS Lambda service. This can help in understanding how different functions are configured and optimize them for better performance.

select
  name,
  runtime,
  handler,
  architectures
from
  aws_lambda_function;
select
  name,
  runtime,
  handler,
  architectures
from
  aws_lambda_function;

List URL configuration details for each function

Review the configuration for each AWS Lambda function to gain insights into their URL settings. This can help in understanding the routing and request handling setup of your serverless applications.

select
  name,
  arn,
  jsonb_pretty(url_config) as url_config
from
  aws_lambda_function;
select
  name,
  arn,
  url_config
from
  aws_lambda_function;

List functions that have tracing disabled

Analyze the settings to understand which AWS Lambda functions have their tracing feature disabled. This can be useful in identifying potential gaps in the monitoring and debugging process of your serverless applications.

select
  name,
  arn,
  jsonb_pretty(tracing_config) as tracing_config
from
  aws_lambda_function
where
  tracing_config ->> 'Mode' = 'PassThrough';
select
  name,
  arn,
  tracing_config
from
  aws_lambda_function
where
  json_extract(tracing_config, '$.Mode') = 'PassThrough';

Query examples

Control examples

Schema for aws_lambda_function

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
architecturesjsonbThe instruction set architecture that the function supports. Architecture is a string array with one of the valid values.
arntextThe function's Amazon Resource Name (ARN).
codejsonbThe deployment package of the function or version.
code_sha_256textThe SHA256 hash of the function's deployment package.
code_sizebigintThe size of the function's deployment package, in bytes.
dead_letter_config_target_arntextThe Amazon Resource Name (ARN) of an Amazon SQS queue or Amazon SNS topic.
descriptiontextThe function's description.
environment_variablesjsonbThe environment variables that are accessible from function code during execution.
file_system_configsjsonbConnection settings for an Amazon EFS file system.
handlertextThe function that Lambda calls to begin executing your function.
kms_key_arntextThe KMS key that's used to encrypt the function's environment variables. This key is only returned if you've configured a customer managed CMK.
last_modifiedtimestamp with time zoneThe date and time that the function was last updated.
last_update_statustextThe status of the last update that was performed on the function.
last_update_status_reasontextThe reason for the last update that was performed on the function.
last_update_status_reason_codetextThe reason code for the last update that was performed on the function.
layersjsonb
master_arntextFor Lambda@Edge functions, the ARN of the master function.
memory_sizebigintThe memory that's allocated to the function.
nametext=The name of the function.
package_typetextThe type of deployment package.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbThe resource-based iam policy of Lambda function.
policy_stdjsonbContains the policy in a canonical form for easier searching.
regiontextThe AWS Region in which the resource is located.
reserved_concurrent_executionsbigintThe number of concurrent executions that are reserved for this function.
revision_idtextThe latest updated revision of the function or alias.
roletextThe function's execution role.
runtimetextThe runtime environment for the Lambda function.
snap_startjsonbSet ApplyOn to PublishedVersions to create a snapshot of the initialized execution environment when you publish a function version.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statetextThe current state of the function.
state_reasontextThe reason for the function's current state.
state_reason_codetextThe reason code for the function's current state.
tagsjsonbA map of tags for the resource.
timeouttextThe amount of time in seconds that Lambda allows a function to run before stopping it.
titletextTitle of the resource.
tracing_configjsonbThe function's X-Ray tracing configuration.
url_configjsonbThe function URL configuration details of the function.
versiontextThe version of the Lambda function.
vpc_idtextThe VPC ID that is attached to Lambda function.
vpc_security_group_idsjsonbA list of VPC security groups IDs attached to Lambda function.
vpc_subnet_idsjsonbA list of VPC subnet IDs attached to Lambda function.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_lambda_function