AWS Lambda

Features

Lambda is the so called as "server-less architecture" of AWS. It is different from the previous two as it is event driven; so the code uploaded in Lambda, is not given an execution environment to run code, until the defined event is triggered, and in this process, the user does not get to either provision or manage servers, and hence user only pay for the time used to consume compute resources. Due to this, there is a limitation, that whatever code is uploaded in Lambda, should complete execution within 5 minutes

Here, lot of application or back‑end service is supported and as there is no scope for administration, it integrates with many AWS services.

One of the most important features is that it is highly scalable.

Pricing changes with memory. An AWS user can consume memory from 128 to 3008 MB allocated for functions that are running on AWS Lambda.

Source: https://vticloud.io/wp-content/uploads/2021/03/deep-dive-on-aws-lambda-vti-cloud.jpg

As explained in IAM, Roles are used for one AWS service to communicate with other service

Source: https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2018/01/21/AR_Diagram_010418.png

AWS Lambda supports versioning (max versions are 5) and each version is immutable, i.e., once published, they cannot be changed and if changes are required, publish a new version, so in all, it can look like this:

  • LambdaFunctionName

  • LambdaFunctionName:1 <- Immutable

  • LamdaFunctionName:2 <- Immutable

Execution Environment Lifecycle

Execution Environments are secure and isolated runtime environments

The lifecycle can be defined as shown below:

Source: https://trackit.io/aws-lambda-lifecycle/ and https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtime-environment.html and https://tmmr.uk/post/lambda/lambda-execution-environment/

Extension INIT - In the Extension Init phase the system starts all extensions to let them apply their logic to the Lambda

Runtime INIT - The runtime is the combination of an operating system, programming language and a combination of software libraries required to invoke the Lambda function

Note that when AWS Lambda was not used and is initialized for the 1st time at any given time, i.e., it was not active, then for its first run, it will take a little time to respond. This is called Cold Start

When it has become active and is responding to 2nd or 3rd trigger or request, it is called as Warm Start. Here initialization doesn't happen and request goes straight to invoke stage

Types of Invocations

AWS Lambda supports parallel invocations:

Source: https://blog.awsfundamentals.com/lambda-limitations

The characteristics of Lambda Execution environment are as follows:

  • Read Only File System

  • Memory based on Lambda configuration during setup

  • 512 MB of disk space in /tmp directory

  • No inbound connections

  • Only TCP/IP Outbound connections are allowed

  • Max timeout of 15 minutes

If API Gateway is used for passing the trigger to lambda function and it has a timeout of 30 secs, so and if Lambda function code has a sleep of 35 seconds then it won't work, because there is timeout at API Gateway due to which API Gateway will not be able to relay the response back from Lambda to API Gateway all the way back to user.

What is the solution then?

The solution to above problem can be diagrammatically summarized as: Use Asynchronous events or Stream (Poll-based)

Source: https://d2908q01vomqb2.cloudfront.net/fc074d501302eb2b93e2554793fcaf50b3bf7291/2019/06/27/Screen-Shot-2019-06-27-at-2.23.51-PM-1024x510.png
Source: https://media.licdn.com/dms/image/v2/D5612AQEkftRQJaBD3g/article-cover_image-shrink_600_2000/article-cover_image-shrink_600_2000/0/1721199571323?e=2147483647&v=beta&t=vyOf-dB-uRgAxj5sQe83_sWT71MnrKrnoiZqcE-KBuw

Improving Response Time by keeping Lambda Functions Warm

Layers in Lambda Functions

Source: https://aws.amazon.com/blogs/mobile/how-to-use-lambda-layers-with-the-amplify-cli/

Layers can also have upto 5 versions and as they have versioning, they are also immutable.

Lambda Functions can use multiple layers which can be compatible with a runtime.

They are extracted to /opt directory as shown below:

  • Python - /opt/python/lib/python<version>/site-packages

  • Node.js - /opt/nodejs/node_modules

  • Binaries - /bin

  • Java - /opt/java/lib

  • As per ChatGPT

Each layer has specific ARN.

Layers can be stacked and ordering of layer matters

Max size of a layer is 250 MB

Lambda Environment Variables

Source: https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html

Note that the id (which tell username) for an lambda environment generally tarts with sbx_user<number>

Lambda Alias Routing

Lambda supports not only creating alias of a function but also supports routing to it. This is generally used to test new features by traffic shifting to send a small percentage of traffic to a second function alias or version for a rolling deployment before production rollout. This is commonly called a canary release

Example: 90% of invocations route to the stable version while 10% route to alias new-feature pointing to version 3. If the 10% is successful, deployment can continue until all traffic is migrated to version 3, and the stable alias is then pointed to version 3.

Source: https://d2908q01vomqb2.cloudfront.net/1b6453892473a467d07372d45eb05abc2031647a/2020/06/15/5-9-AWS-Lambda-alias-routing.png

Event and Context

The event parameter contains data that is passed to the Lambda function at the time of invocation. This data is specific to the event source that triggers the Lambda function.

Source: https://docs.aws.amazon.com/lambda/latest/dg/services-apigateway.html#apigateway-example-event

When Lambda runs the function, it passes a context object to the handler. This object provides methods and properties that provide information about the invocation, function, and execution environment. It's main role is to provide information about the current execution environment. Unlike event, the methods and properties of the context object remain the same regardless of the lambda was invoked or triggered

Sample Code:

// Generated by ChatGPT
def lambda_handler(event, context):
    # Accessing event data
    print("Received event:", event)
    
    # Accessing context data
    print("Request ID:", context.aws_request_id)
    print("Function Name:", context.function_name)

    # Your processing logic here
    return {
        'statusCode': 200,
        'body': 'Hello from Lambda!'
    }

Runtime

It is mostly a script (bootstrap executable file) that executes everything in order for getting the proper work from everyone and giving the output to user, via Runtime API and Lambda service

So, runtime runs the function's setup code. It reads the handler name from an environment variable, reads the invocation event from lambda runtime API, passes the event data to function handler and posts the response from handler back to Lambda. It can distributed as public or private layers

Working and Execution Flow can be explained as follows:

Source: https://attackdefense.com/listing?labtype=aws-cloud-security-bootcamp&subtype=aws-cloud-security-bootcamp-recordings
Source: https://attackdefense.com/listing?labtype=aws-cloud-security-bootcamp&subtype=aws-cloud-security-bootcamp-recordings
Source: https://attackdefense.com/listing?labtype=aws-cloud-security-bootcamp&subtype=aws-cloud-security-bootcamp-recordings

Runtime API Path (https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html):

  • Invocation Request - GET "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next"

  • Invocation Response - POST "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/AwsRequestId/response"

  • Invocation Error - POST "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/AwsRequestId/error"

  • Invocation Error Path - POST "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/init/error"

Steps for using AWS Lambda

Example Scenario: Generate Symmetric keys using Lambda

Now, to create a lambda function using dotnet cli, ensure that .NET SDK is installed from here.

Create a folder to host the source code

cd <to-the-created-folder>
dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org
dotnet new --install Amazon.Lambda.Templates
dotnet new lambda.EmptyFunction --name SymKeyGen
cd SymKeyGen
cd src
notepad SymKeyGen.csproj 
// make the following changes
<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework> //Change here
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <GenerateRuntimeConfigurationFiles>true</GenerateRuntimeConfigurationFiles>
    <AWSProjectType>Lambda</AWSProjectType>
    <!-- This property makes the build directory similar to a publish directory and helps the AWS .NET Lambda Mock Test Tool find project dependencies. -->
    <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
    <!-- Generate ready to run images during publishing to improve cold start time. -->
    <PublishReadyToRun>false</PublishReadyToRun> //Change here
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Amazon.Lambda.Core" Version="2.3.0" />
  </ItemGroup>
</Project>
dotnet add package Amazon.Lambda.Core
dotnet add package Amazon.Lambda.APIGatewayEvents
dotnet add package AWSSDK.S3
dotnet add package Newtonsoft.Json
notepad Function.cs
//Generated by ChatGPT

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using Amazon.Lambda.Core;
using Amazon.Lambda.APIGatewayEvents;
using Amazon.S3;
using Amazon.S3.Model;
using Newtonsoft.Json;
using System.Text.RegularExpressions;

[assembly: LambdaSerializer(typeof(Amazon.Lambda.Serialization.SystemTextJson.DefaultLambdaJsonSerializer))]

public class Function
{
    private readonly string bucketName = "radifineuniquebucketname"; // Update with your S3 bucket name
    private readonly IAmazonS3 s3Client;

    public Function()
    {
        s3Client = new AmazonS3Client();
    }

    // Entry point for the Lambda function
    public APIGatewayProxyResponse FunctionHandler(APIGatewayProxyRequest request, ILambdaContext context)
    {
        return GenerateKey(request, context);
    }

    public APIGatewayProxyResponse GenerateKey(APIGatewayProxyRequest request, ILambdaContext context)
    {
        // Parse input parameters from the request
        if (request.QueryStringParameters == null || 
            !request.QueryStringParameters.TryGetValue("input", out var hexInput))
        {
            return new APIGatewayProxyResponse
            {
                StatusCode = 400,
                Body = JsonConvert.SerializeObject(new { Error = "Input parameter is required." }),
                Headers = new System.Collections.Generic.Dictionary<string, string>
                {
                    { "Content-Type", "application/json" }
                }
            };
        }

        // Decode hex input to original string
        string inputParam = HexToString(hexInput);

        // Validate the input
        if (!IsValidInput(inputParam))
        {
            return new APIGatewayProxyResponse
            {
                StatusCode = 400,
                Body = JsonConvert.SerializeObject(new { Error = "Invalid input parameter." }),
                Headers = new System.Collections.Generic.Dictionary<string, string>
                {
                    { "Content-Type", "application/json" }
                }
            };
        }

        // Generate a symmetric key based on the input parameter
        byte[] symmetricKey = GenerateKeyFromInput(inputParam);
        var base64Key = Convert.ToBase64String(symmetricKey);

        // Save the key to S3
        string fileName = $"{inputParam}.txt"; // Name the file using the input string
        var putRequest = new PutObjectRequest
        {
            BucketName = bucketName,
            Key = fileName,
            ContentBody = base64Key,
            ContentType = "text/plain"
        };

        // Upload the key to S3
        s3Client.PutObjectAsync(putRequest).Wait();

        // Return the key and success message
        var response = new
        {
            Key = base64Key,
            Message = "Key generated and saved successfully."
        };

        return new APIGatewayProxyResponse
        {
            StatusCode = 200,
            Body = JsonConvert.SerializeObject(response),
            Headers = new System.Collections.Generic.Dictionary<string, string>
            {
                { "Content-Type", "application/json" }
            }
        };
    }

    private bool IsValidInput(string input)
    {
        // Check for null or empty
        if (string.IsNullOrWhiteSpace(input))
            return false;

        // Check length (e.g., maximum length of 255 characters)
        if (input.Length > 255)
            return false;

        // Validate against a regex pattern (adjust as necessary)
        string pattern = @"^[a-zA-Z0-9\-\.]+$"; // Example pattern: allows alphanumeric, hyphens, and dots
        return Regex.IsMatch(input, pattern);
    }

    private byte[] GenerateKeyFromInput(string input)
    {
        using (var sha256 = SHA256.Create())
        {
            // Hash the input to create a fixed-length key
            return sha256.ComputeHash(Encoding.UTF8.GetBytes(input));
        }
    }

    private string HexToString(string hex)
    {
        StringBuilder result = new StringBuilder(hex.Length / 2);
        for (int i = 0; i < hex.Length; i += 2)
        {
            result.Append((char)Convert.ToByte(hex.Substring(i, 2), 16));
        }
        return result.ToString();
    }
}

dotnet build
dotnet publish -c Release -o ./publish
Compress-Archive -Path * -DestinationPath ../SymKeyGenSrc.zip

Edit the permissions for access to S3

For those interested, can head over API Gateway to have complete scenario based understanding.

Now, it should work

PreviousElastic BeanStalkNextContainer Services

Last updated