4

I've got a CloudFormation Lambda Backed Custom Resource , Lambda function in public subnets but when I check the cloudWatch logs shown it below

Log-Message#1 

Starting new HTTPS connection (1): cloudformation-custom-resource-response-eucentral1.s3.eu-central-1.amazonaws.com

Log-Message#2

Task timed out after 30.03 seconds

How I can handle this problem , my cloudformation is shown as below .

 Resources:
 HelloWorld: #Custom Resource
Type: Custom::HelloWorld
Properties:
  ServiceToken:
    Fn::GetAtt:
    - TestFunction #Reference to Function to be run
    - Arn #ARN of the function to be run
  Input1:
    Ref: Message
 TestFunction: #Lambda Function
 Type: AWS::Lambda::Function
 Properties:
  Code:
    S3Bucket:
      Ref: S3Bucket
    S3Key:
      Ref: S3Key
  Handler:
    Fn::Join:
    - ''
    - - Ref: ModuleName
      - ".lambda_handler"
  Role:
    Fn::GetAtt:
    - LambdaExecutionRole
    - Arn
  VpcConfig:
    SecurityGroupIds:
      - !Ref SecurityGroup
    SubnetIds:
      - Fn::Select: [ 0, !Ref PublicSubnet1 ]
      - Fn::Select: [ 0, !Ref PublicSubnet2 ]
  Runtime: python2.7
  Timeout: '30'
   LambdaExecutionRole: #IAM Role for Custom Resource
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Version: '2012-10-17'
    Statement:
    - Effect: Allow
      Principal:
        Service:
        - lambda.amazonaws.com
      Action:
      - sts:AssumeRole
  Path: "/"
  Policies:
  - PolicyName: root
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action:
        - logs:CreateLogGroup
        - logs:CreateLogStream
        - logs:PutLogEvents
        Resource: arn:aws:logs:*:*:*
      - Effect: Allow
        Action:
        - ec2:CreateNetworkInterface
        - ec2:DescribeNetworkInterfaces
        - ec2:DeleteNetworkInterface

        Resource: "*"

   SecurityGroup:
   Type: AWS::EC2::SecurityGroup
   Properties:
    GroupName: "sec_group_name"
    GroupDescription: "SSH traffic in, all traffic out."
    VpcId: !Ref VPC
    SecurityGroupIngress:
      - IpProtocol: -1
        CidrIp: 0.0.0.0/0
    SecurityGroupEgress:
      - IpProtocol: -1
        CidrIp: 0.0.0.0/0

My subnets routing table associated with InternetGateway, but it giving CloudFormationResponse object error , How I can solve this connection problem .

Help ! Thanks :))

Improve this question
1

1 Answer 1

Reset to default
1

I am guessing your public subnet does not have a NAT gateway or NAT instance attached to it (InternetGateway alone is not enogh). As per AWS, this is required. If your functions does not need general internet access but access to AWS resources, you should consider VPC Endpoints. They are cheaper, but not sure if available for all resources.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I've created VPC Endpoint and attached it to the LambdaVPC , now I'm getting Forbidden error probably I will attach new role to lambda to access S3 bucket . this will fix this . Thanks :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.