Authenticating AWS service clients within Lambda functions

There are two secure ways you can give a Lambda function permission to invoke other AWS services, or to give it credentials for e.g. a database:

Method 1: Adding IAM permissions to the Lambda execution role

For services like S3, your Lambda function's execution role can be given IAM permissions (either via a managed AWS policy, or your own custom IAM policy) to perform operations. 

Method 2: Using AWS Systems Manager (SSM)

For services where you need to supply credentials (such as connecting to an RDS database or an ElastiCache node), or in any other situation where you need to give a Lambda function credentials, the secure way to do it is via SSM.

AWS has an official Lambda Layer that allows for easy retrieval of credentials from the SSM Parameter Store, but there is a catch: if your Lambda function is being executed within a VPC, as is likely to be the case for database or cache server operations, you will not be able to connect to SSM without some extra steps.

Setting up a VPC endpoint for SSM

For your VPC-enabled Lambda functions to connect to SSM, you need to create a VPC endpoint that allows access to SSM in the specific region your Lambda function is in. 

Be warned: VPC endpoints, with the exception of those used to connect to S3 and DynamoDB, incur minimum charges of around $8 per month depending on region, per availability zone in that region. That's before any data transfer costs, though for SSM that is likely to be minimal. Having your VPC SSM endpoint in all 3 subnets of a region will thus cost around $24 a month.

Once the endpoint is set up, you can give your Lambda execution role extra permissions via an IAM policy to retrieve parameters from the SSM parameter store, eliminating the need to store any credential values in your Lambda code or environment variables.