I'm working on an serverless application the works with a database in RDS. For security reasons, both the application (Lambda) and the database are located in a private subnet in a VPC. I also want to access AWS services from the application - for example, I would like to access secret manager to obtain database credentials, put an rule in EventBridge and use STS service. I know that I can use VPC endpoints and deploy interface endpoint in my VPC for each service of interest.
My question is as follows - the sole reason that the application is in the private subnet is database access. Why shouldn't I just create another lambda, that is not my VPC and can access these services easily and for free and just invoke it from my main application? What are the security risks? What am I missing?
Thanks
If I understand correctly, you would want to create another Lambda which runs outside of the VPC and be invoked by the Lambda which is inside the VPC.
Well you can certainly do that, but this also would require to have either a NAT gateway to have access to the outside Lambda or a VPC endpoint for the Lambda control-plane. Moreover, you will double pay for each separate Lambda invocations, and you also would want to keep an eye on the running time of the Lambdas.
can access these services easily and for free
Nothing is really free in AWS. You will have to pay for the ENI used by the VPC endpoint or for the NAT gateway. And also for the Lambda invocations.
What are the security risks?
Security-wise, you are not really missing anything.