Lambda function is configured with VPC subnets in at least two Availability Zones
awslambda_function_vpc_multi_az
AWS Lambda functions attached to a VPC use subnets that span at least the required number of Availability Zones (2 by default).
The evaluation counts the unique AZs of the function's configured subnets.
Risk
Single-AZ placement limits availability. An AZ outage or subnet/IP exhaustion can block ENI creation and VPC access, causing failed invocations, timeouts, and event backlogs.
This degrades uptime and can delay processing of critical events.
prowler aws --checks awslambda_function_vpc_multi_az
Recommendation
Distribute VPC-connected functions across subnets in 2 distinct AZs to ensure fault tolerance.
- Choose subnets from different AZs
- Avoid AZ-pinned configs or fixed IPs
- Provide per-AZ egress/endpoints and routing
- Regularly test AZ failover Aligns with resilience and defense in depth.
Remediation
aws lambda update-function-configuration --function-name <example_resource_name> --vpc-config SubnetIds=<subnet_id_az1>,<subnet_id_az2>,SecurityGroupIds=<example_security_group_id>
- Open the Lambda console and select the function
- Go to Configuration > VPC > Edit
- Select the target VPC and choose at least two subnets in different Availability Zones
- Select a security group
- Click Save
Source Code
Resource Type
AwsLambdaFunction
References
- https://docs.aws.amazon.com/lambda/latest/operatorguide/networking-vpc.html
- https://stackzonecom.tawk.help/article/aws-config-rule-lambda-vpc-multi-az-check
- https://stackoverflow.com/questions/62052490/why-aws-lambda-suggests-to-set-up-two-subnets-if-vpc-is-configured
- https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-5