I'm currently working on an AWS-based side project where I need to access AWS services from resources within a private VPC. As a junior data engineer with under a year of experience, I've created a Lambda function that writes data from S3 into my PostgreSQL database, which are both located in the same private VPC. Recently, I tried to enhance my security by moving my database password to SSM Parameter Store. However, my Lambda function now requires access to the SSM and KMS APIs.
The typical approach to achieve this is to set up VPC private endpoints, but I found out that this method incurs costs per endpoint, per availability zone, which adds up quickly. For my small project, even $14 a month for two endpoints feels like a lot. I'm exploring alternatives that won't significantly increase my expenses. I heard about using a lambda-to-lambda pattern, but I'm concerned about scalability and potential future complications with that approach. Any suggestions for accessing SSM without racking up costs would be greatly appreciated!
5 Answers
If you go with the NAT gateway option, you can be able to reach the internet without needing VPC endpoints. However, keep in mind that a NAT gateway does have an hourly charge. If that’s too steep, consider setting up an EC2 instance as a NAT gateway instead. It might take more configuration, but it could save you money in the long run.
A cost-effective route could be giving your private VPC Lambda internet access via a NAT instance instead of using expensive endpoints. This way, it can access SSM/KMS without the hourly fees that come with endpoints. For smaller projects, it’s often the most straightforward fix to implement.
But isn’t a NAT gateway also billed hourly and can be more expensive than private endpoints?
Using SSM/KMS might not be necessary at all. You could create an S3 bucket to securely store your password and limit access to just the IAM role used by your Lambda function. Sure, it's not as secure since it’s not encrypted at rest, but for many small projects, this could be a viable workaround without overthinking the setup.
That’s an interesting idea! I’ll ponder over it. Thanks!
You might want to consider using IPv6 egress since Lambda now supports it. Additionally, setting up an egress-only internet gateway should be free, which could allow your Lambda function to access SSM without needing to set up costly VPC endpoints.
That sounds too good to be true! Is it really that simple? I’ll look into it!
Have you thought about managing your database password differently? Instead of using SSM, you could set up IAM authentication for your PostgreSQL/RDS instance. By creating an IAM user and policy that maps to the DB user, and linking it to your Lambda function, you might avoid certain complexities altogether.
Yeah, I noticed NAT gateways can be more costly. I’ll definitely check your suggestion for an EC2 NAT.