2.2.3.4. Developing Lambda Function Automations for Complex Scenarios (AWS SDKs, Lambda, AWS Step Functions)

2.2.3.4. Developing Lambda Function Automations for Complex Scenarios

Lambda is the glue that connects AWS events to automated responses. For DevOps, Lambda handles custom logic that managed services can't cover.

Pattern 1: CloudWatch Alarm → SNS → Lambda → Remediation

def handler(event, context):
    alarm = json.loads(event['Records'][0]['Sns']['Message'])
    instance_id = alarm['Trigger']['Dimensions'][0]['value']
    
    ec2 = boto3.client('ec2')
    ec2.reboot_instances(InstanceIds=[instance_id])
    
    sns = boto3.client('sns')
    sns.publish(TopicArn=OPS_TOPIC, Message=f"Rebooted {instance_id}")

Pattern 2: Config Rule → Lambda → Evaluate Compliance

def handler(event, context):
    config_client = boto3.client('config')
    ci = event['configurationItem']
    
    compliant = ci['configuration'].get(
        'versioningConfiguration', {}).get('status') == 'Enabled'
    
    config_client.put_evaluations(Evaluations=[{
        'ComplianceResourceType': ci['resourceType'],
        'ComplianceResourceId': ci['resourceId'],
        'ComplianceType': 'COMPLIANT' if compliant else 'NON_COMPLIANT',
        'OrderingTimestamp': ci['configurationItemCaptureTime']
    }], ResultToken=event['resultToken'])

Pattern 3: Scheduled → Lambda → Cleanup (terminate untagged instances, delete old snapshots)

Lambda execution role must have permissions for every AWS service the function calls. Use least-privilege — grant ec2:RebootInstances on specific instances, not ec2:* on *.

Exam Trap: Lambda functions in a VPC can't access AWS APIs unless the subnet has a NAT Gateway or VPC endpoints. If a Lambda function worked before VPC attachment and fails after, the answer is almost always missing NAT/VPC endpoints.