Why is my AWS Security group allowing traffic?

Question

I thought I had an understanding of AWS security groups, but this doesn't make any sense.

I have a Lambda Function that is inside of my VPC.

It is assigned a security group (TestLambdaSG).

TestLambdaSG has inbound HTTP/HTTPS rules from IP 1.2.3.4/32

I can connect to my Lambda Function from my IP. Why?

AWS says that security groups are restrictive by default, so I shouldn't be able to connect. My Lambda function is an API that I created a test route that returns a "Success" message.

https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-security-groups.html

you created a test in local lambda function, its not a test from outside. — Thanh Nguyen Van, Dec 19 '19 at 06:47
I can get to it through Postman on my machine, so I'm sending HTTP traffic from my IP to the Lambda function, right? — John Rousseau, Dec 19 '19 at 06:51
It's an API published to Lambda from Visual Studio, so I used Postman to hit the API path. — John Rousseau, Dec 19 '19 at 06:55
Yes, that's what I don't understand. I can connect to the API from my IP. The response was just a text string that I return "From API" so that I know I can connect to it. I thought the security group should block that. — John Rousseau, Dec 19 '19 at 06:58

score 3 · Accepted Answer · answered Dec 19 '19 at 07:02

The security group assigned to lambda only used to validate outgoing traffic , it is impossible to access the lambda directly through the socket connection. Therefore I dont think lambda security group's inbound rules are any useful.

But other services such as API gateway can invoke a lambda. An API gateway is publicly available by default when it is deployed.

That's why it's accessible from postman for you.

Why is my AWS Security group allowing traffic?

1 Answers1