Documentation

AWS Lambda Integration

Snyk’s AWS Lambda integration lets you monitor the deployed code of your Node.js AWS Lambda functions for any known vulnerabilities found in the application’s dependencies, testing at a frequency you control.

For each test, Snyk will communicate directly with AWS Lambda to determine exactly what code is currently deployed and what dependencies are being used. Each dependency will in turn be tested against Snyk’s vulnerability database to see if it contains any known vulnerabilities.

If vulnerabilities are found, you will be alerted (via email or Slack) so that you can take immediate action.

In order to turn on the AWS Lambda integration you’ll need to:

  1. Connect to AWS Lambda from the integrations page
  2. Add your AWS Lambda account credentials to Snyk
  3. Select the projects you want to monitor and click “Add to Snyk”

Connecting Snyk to AWS Lambda

In order for Snyk to be able to monitor your deployed AWS Lambda functions, you’ll first need to connect Snyk to your AWS Lambda account. You can do this by navigating to the Integrations page and clicking on “Connect to AWS Lambda”.

Screenshot of the Integrations page for Snyk

This will take you to a page where you’ll be prompted to enter your AWS Access Key ID and Secret Access Key.

Screenshot of the form for entering your AWS Lambda credentials

Instructions for how to generate and locate your AWS Lambda credentials are below.

Generating your AWS Lambda Credentials

To give Snyk access to your AWS Lambda account, you’ll need both a valid Secret Access Key and a valid Access Key ID.

You can find and create Access Key ID’s for an IAM user from the IAM console. The Secret Access Key can also be obtained by then downloading the credentials.

Alternatively, you can use the AWS CLI to generate an Access Key ID for a user as well as download the rest of their security credentials. For example, to set a new access Key ID for user ‘Bob’, you would run the following command:

aws iam create-access-key --user-name Bob

This would result in JSON output similar to the following, which contains the Secret Access Key that you’ll need for setting up Snyk:

{
    "AccessKey": {
        "UserName": "Bob",
        "Status": "Active",
        "CreateDate": "2015-03-09T18:39:23.411Z",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
        "AccessKeyId": "AKIAIOSFODNN7EXAMPLE"
    }
}

From there you can login to your Snyk account and paste in your Access Key ID and Secret Access Key.

More information on obtaining your security credentials from AWS can be found in their documentation.

Adding Lambda Functions to Snyk

Once you’ve successfully connected Snyk to your AWS Lambda account, you’ll be able to select AWS Lambda functions that you would like Snyk to monitor. You can do this either using the “Add projects” button on the integrations page, or directly from the AWS Lambda integration settings page.

In either case, you’ll see a list of any available projects on the AWS Lambda account you connected. Select the ones you want to monitor and click the “add to Snyk” button.

Screenshot of the screen displaying the available AWS Lambda apps to monitor

As soon as you’ve added the projects to Snyk, Snyk will test them and begin to display a list of all monitored AWS Lambda functions in your project dashbard. You’ll also see a snapshot of any current vulnerabilities, and be able to click through for a more detailed report including any steps to remediate.

Screenshot of the screen displaying the AWS Lambda projects

Snyk will now continuously monitor each of those functions for known vulnerabilities. You can add more functions at any time.

Checking your connection status

At any time after you’ve entered your AWS Lambda credentials, you can check on the connection status in one of two places.

The first is on your integration settings page, where you’ll see your current integrations listed as well as their connection status.

Screenshot of the integration settings page

You can also check the status directly on the AWS Lambda integration settings page (found by clicking “Edit settings” on the integration settings page shown above). If you’ve entered credentials, you’ll see a box indicating whether or not Snyk is able to correctly connect to AWS Lambda.

Screenshot showing Snyk correctly connected to AWS Lambda

If you are unable to connect, please re-enter your account credentials to verify that they are correct.

Screenshot showing Snyk unable to connect to AWS Lambda

Adding a Snyk-specific user to AWS Lambda

We recommend adding a dedicated AWS Identity and Access Management (IAM) user for your Snyk organization. That way if at some point you need to revoke the key for any reason, you can do so without impacting anyone within your organization.

The IAM user only needs one attached policy: AWSLambdaReadOnlyAccess.

You can learn more about IAM users on the AWS documentation.

Disabling the AWS Lambda Integration

If you decide to disable the AWS Lambda integration for any reason, you can accomplish this from the “Integration Settings” page in your settings.

You’ll need to find the AWS Lambda integration in your list of integrations, and click “Edit Settings”. You’ll be taken to a page that shows the current status of your AWS Lambda connection, a place to update your API key, and a red box at the bottom to disconnect from AWS Lambda.

Screenshot showing the Disconnect screen for disabling the AWS Lambda integration

If you choose to disconnect, your AWS Lambda credentials will be removed from Snyk and any AWS Lambda projects we had been monitoring will be deactivated on Snyk.

If you choose to re-enable the AWS Lambda integration at any time, you’ll need to re-enter your credentials and activate your projects.