'Do I need VPC for a 100% Serverless Architecture on AWS? [closed]

Please, consider a system (composed of many microservices and BFFs) that:

  • Each Platform (many microservices) and Customer Journey (BFF) has its own AWS Account (as part of an organization - Control Tower). We might have 20 - 30 AWS Accounts.
  • AWS Services used are: Lambda, SNS, SQS, Step Functions, EventBridge, Cognito, S3, CloudFront, CloudWatch, DynamoDB, Aurora Serverless (V2) + RDS Proxy, API GW (REST)
  • External Services: Lumigo for Monitoring, GitLab CI/CD (SaaS), Salesforce, Stripe, Twilio, Some Banks (API based)
  • Multi-region deployment (For DR only). So DynamoDB and Aurora Serverless (V2) are synched to another region, and the application is always deployed in both regions (Queues and other temporary states/data are not synched).

and knowing that it's now 2022 (Lambda will turn 10 in a couple of years) would we need VPC (VPCes?) for this solution for maximum security (regarding Infrastructure alone)?. It always looked to me that good governance, automatic rotation of IAM credentials, a strong CI/CD pipeline, and continuous and external security checks would be enough for Serverless Architecture, so that developers or DevOps wouldn't need to invest a lot of energy setting up and maintaining Network and VPC

Any help would be appreciated.

Cheers

securitynetworkingaws-lambdaserverlessaws-serverless


Solution 1:[1]

So it is no must. You can keep your service also secure without a VPC. However, it may be more cost-effective to use a VPC. For example, if you move data from S3 to lambda you pay a fee for network traffic. If both have endpoints in the same VPC there are no fees.

Furthermore, the two accounts per microservice approach seems a bit complex. It would rather have one CDK construct/terraform/cloud formation template per microservice and then two instances of them for test and prod. The default quota for AWS Organization is 10 accounts, so it would limit you to 5 microservices.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Lau

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

How to show or hide contents of an aspx page based on current user's roles

protect images on webpage from being copied/saved?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

SSL certificate error for IE users only

How to access HttpContext and Request in RequireAssersion?

Send Public key(generated as seckeyref in iPhone) to server(in Java)

The EXECUTE permission is denied on the user-defined table types?

cannot commit or push using egit (guess: issues with secure storage area)

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

SSL Java java.io.IOException: Invalid keystore format

preventing abuse of API service usage

Protecting or Licensing a Django Application