Table: aws_lambda_function - Query AWS Lambda Function using SQL
The AWS Lambda Function is a compute service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time you consume - there is no charge when your code is not running.
Table Usage Guide
The aws_lambda_function
table in Steampipe provides you with information about AWS Lambda Functions. This table allows you, as a DevOps engineer, to query function-specific details, including the function's runtime, code size, timeout, and associated tags. You can utilize this table to gather insights on functions, such as the function's configuration, handler, last modified date, and more. The schema outlines the various attributes of the AWS Lambda Function for you, including the function name, ARN, description, and associated environment variables.
Examples
Basic Info
Explore which AWS Lambda functions are in use and determine if they have a Key Management Service (KMS) key associated with them, which is essential for managing cryptographic keys. This is beneficial for understanding your security configuration and ensuring that sensitive data is properly encrypted.
select name, arn, handler, kms_key_arnfrom aws_lambda_function;
select name, arn, handler, kms_key_arnfrom aws_lambda_function;
List of lambda functions which are not encrypted with CMK
Identify instances where AWS Lambda functions are lacking encryption with a Customer Master Key (CMK), which is crucial for enhancing data security and complying with regulatory standards.
select name, kms_key_arnfrom aws_lambda_functionwhere kms_key_arn is null;
select name, kms_key_arnfrom aws_lambda_functionwhere kms_key_arn is null;
Count of lambda functions by runtime engines
Discover the distribution of different runtime engines used in your AWS Lambda functions. This helps to understand the prevalence of different programming languages in your serverless architecture.
select runtime, count(*)from aws_lambda_functiongroup by runtime;
select runtime, count(*)from aws_lambda_functiongroup by runtime;
List of lambda function whose retention period is less than 30 days
Determine the areas in which AWS Lambda functions have a retention period of less than 30 days. This is beneficial for identifying functions that may need their retention periods adjusted to ensure data is not lost prematurely.
select fn.name, lg.name, lg.retention_in_daysfrom aws_lambda_function as fn inner join aws_cloudwatch_log_group as lg on ( (lg.name = '/aws/lambda/') or (lg.name = fn.name) )where lg.retention_in_days < 30;
select fn.name, lg.name, lg.retention_in_daysfrom aws_lambda_function as fn inner join aws_cloudwatch_log_group as lg on ( (lg.name = '/aws/lambda/') or (lg.name = fn.name) )where lg.retention_in_days < 30;
Availability zone count for each VPC lambda function
Determine the number of availability zones for each AWS Lambda function within a Virtual Private Cloud (VPC). This can help in understanding the distribution of your Lambda functions across different zones, which is crucial for optimizing performance and managing costs.
select fn.name, fn.region, count (availability_zone) as zone_countfrom aws_lambda_function as fn cross join jsonb_array_elements_text(vpc_subnet_ids) as vpc_subnet join aws_vpc_subnet as sub on sub.subnet_id = vpc_subnetgroup by fn.name, fn.regionorder by zone_count;
select fn.name, fn.region, count(sub.availability_zone) as zone_countfrom aws_lambda_function as fn, json_each(fn.vpc_subnet_ids) as vpc_subnet join aws_vpc_subnet as sub on sub.subnet_id = json_extract(vpc_subnet.value, '$')group by fn.name, fn.regionorder by zone_count;
List all the actions allowed by managed policies for a Lambda execution role
Explore which actions are permitted by managed policies for a specific Lambda execution role. This is useful for assessing the level of access a role has, and can help identify any potential security risks or areas where permissions may need to be adjusted.
select f.name, f.role, a.action, a.access_level, a.descriptionfrom aws_lambda_function as f, aws_iam_role as r, jsonb_array_elements_text(r.attached_policy_arns) as pol_arn, aws_iam_policy as p, jsonb_array_elements(p.policy_std -> 'Statement') as stmt, jsonb_array_elements_text(stmt -> 'Action') as action_glob, glob(action_glob) as action_regex join aws_iam_action a ON a.action LIKE action_regexwhere f.role = r.arn and pol_arn = p.arn and stmt ->> 'Effect' = 'Allow' and f.name = 'hellopython';
select f.name, f.role, a.action, a.access_level, a.descriptionfrom aws_lambda_function as f join aws_iam_role as r on f.role = r.arn join aws_iam_policy as p on p.arn in ( select json_extract(r.attached_policy_arns, '$[*]') ) join aws_iam_action as a on a.action in ( select json_extract( json_extract(p.policy_std, '$.Statement[*].Action'), '$[*]' ) )where json_extract(p.policy_std, '$.Statement[*].Effect') = 'Allow' and f.name = 'hellopython';
List functions not configured with a dead-letter queue
Determine the areas in which AWS Lambda functions are potentially at risk due to the absence of a configured dead-letter queue, which is crucial for handling failed asynchronous invocations and preventing data loss.
select arn, dead_letter_config_target_arnfrom aws_lambda_functionwhere dead_letter_config_target_arn is null;
select arn, dead_letter_config_target_arnfrom aws_lambda_functionwhere dead_letter_config_target_arn is null;
List runtime settings for each function
Discover the segments that have varied runtime settings for each function in your AWS Lambda service. This can help in understanding how different functions are configured and optimize them for better performance.
select name, runtime, handler, architecturesfrom aws_lambda_function;
select name, runtime, handler, architecturesfrom aws_lambda_function;
List URL configuration details for each function
Review the configuration for each AWS Lambda function to gain insights into their URL settings. This can help in understanding the routing and request handling setup of your serverless applications.
select name, arn, jsonb_pretty(url_config) as url_configfrom aws_lambda_function;
select name, arn, url_configfrom aws_lambda_function;
List functions that have tracing disabled
Analyze the settings to understand which AWS Lambda functions have their tracing feature disabled. This can be useful in identifying potential gaps in the monitoring and debugging process of your serverless applications.
select name, arn, jsonb_pretty(tracing_config) as tracing_configfrom aws_lambda_functionwhere tracing_config ->> 'Mode' = 'PassThrough';
select name, arn, tracing_configfrom aws_lambda_functionwhere json_extract(tracing_config, '$.Mode') = 'PassThrough';
Schema for aws_lambda_function
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
architectures | jsonb | The instruction set architecture that the function supports. Architecture is a string array with one of the valid values. | |
arn | text | The function's Amazon Resource Name (ARN). | |
code | jsonb | The deployment package of the function or version. | |
code_sha_256 | text | The SHA256 hash of the function's deployment package. | |
code_size | bigint | The size of the function's deployment package, in bytes. | |
dead_letter_config_target_arn | text | The Amazon Resource Name (ARN) of an Amazon SQS queue or Amazon SNS topic. | |
description | text | The function's description. | |
environment_variables | jsonb | The environment variables that are accessible from function code during execution. | |
file_system_configs | jsonb | Connection settings for an Amazon EFS file system. | |
handler | text | The function that Lambda calls to begin executing your function. | |
kms_key_arn | text | The KMS key that's used to encrypt the function's environment variables. This key is only returned if you've configured a customer managed CMK. | |
last_modified | timestamp with time zone | The date and time that the function was last updated. | |
last_update_status | text | The status of the last update that was performed on the function. | |
last_update_status_reason | text | The reason for the last update that was performed on the function. | |
last_update_status_reason_code | text | The reason code for the last update that was performed on the function. | |
layers | jsonb | ||
master_arn | text | For Lambda@Edge functions, the ARN of the master function. | |
memory_size | bigint | The memory that's allocated to the function. | |
name | text | = | The name of the function. |
package_type | text | The type of deployment package. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
policy | jsonb | The resource-based iam policy of Lambda function. | |
policy_std | jsonb | Contains the policy in a canonical form for easier searching. | |
region | text | The AWS Region in which the resource is located. | |
reserved_concurrent_executions | bigint | The number of concurrent executions that are reserved for this function. | |
revision_id | text | The latest updated revision of the function or alias. | |
role | text | The function's execution role. | |
runtime | text | The runtime environment for the Lambda function. | |
snap_start | jsonb | Set ApplyOn to PublishedVersions to create a snapshot of the initialized execution environment when you publish a function version. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
state | text | The current state of the function. | |
state_reason | text | The reason for the function's current state. | |
state_reason_code | text | The reason code for the function's current state. | |
tags | jsonb | A map of tags for the resource. | |
timeout | text | The amount of time in seconds that Lambda allows a function to run before stopping it. | |
title | text | Title of the resource. | |
tracing_config | jsonb | The function's X-Ray tracing configuration. | |
url_config | jsonb | The function URL configuration details of the function. | |
version | text | The version of the Lambda function. | |
vpc_id | text | The VPC ID that is attached to Lambda function. | |
vpc_security_group_ids | jsonb | A list of VPC security groups IDs attached to Lambda function. | |
vpc_subnet_ids | jsonb | A list of VPC subnet IDs attached to Lambda function. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_lambda_function