node.js amazon-web-services api-gateway vpc-endpoint

Lambda in VPC with VPC endpoint unable to access API Gateway's API Key

I am having a Lambda function inside a VPC, but it is trying to get the API Keys from the API Gateway, it is getting timeout.

I have done the following steps:

Attached the Lambda function into a VPC's public subnet
Created a Security Group with All TCP inbound, with source as the same security group
Created a VPC endpoint with AWS service and its service, *.execute-api, with:

public subnet that house the Lambda function
Security Group is set as the pointer 2)

Lambda function is having a role that has the policies in place:

AmazonAPIGatewayAdministrator
AWSLambdaBasicExecutionRole
AWSLambdaExecute
AWSLambdaRole

So with the above settings, I still unable to connect to API Gateway to get the API Keys.

I do not need internet access but just to get the API Keys from API Gateway. I am using Nodejs for Lambda function.

Please advices on how to get the API Gateway's API Keys with Lambda inside a VPC's subnet, and is it there is no way to get this information from API Gateway without NAT Gateway?

Thanks a lot in advance.

Solution

From your description, it would appear that all your code is in the AWS Lambda function and there are no other resources in the VPC.

Therefore, there is no benefit in using a VPC since Lambda functions are totally secure because there is no inbound access to a Lambda function. Connecting a Lambda function to a VPC does not improve security and it actually causes more problems because it does not have Internet access.

I don't know what your Lambda function is doing, but I presume it is using the "API Keys" to access an external service on the Internet.

Therefore, the architecture I recommend is:

Do not attach the Lambda function to a VPC. This means it will automatically have Internet access.
Store the "API Keys" in AWS Systems Manager Parameter Store - AWS Systems Manager:

Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter.

Configure the secrets in Parameter Store to only be accessible via the IAM Role that is assigned to the Lambda function. This keeps the secrets more secure than using an API Gateway to provide secrets and access to the secrets is also logged for security audits.
The IAM Role attached to the Lambda function only requires AWSLambdaBasicExecutionRole, plus the permission that was granted via the Parameter Store.
The code inside your Lambda function should start by retrieving the "API Keys" from the Parameter Store. It can then call the API that is (presumably) on the Internet.

That's it! Basically, it's just a Lambda function and a stored secret. It is fully serverless and very secure. Access to the secret is controlled by IAM and can be monitored.