AWS CloudFormation Lambda Functions

Overview

Create production-ready Lambda functions using CloudFormation templates with validation and deployment workflows.

When to Use

• Creating Lambda functions with CloudFormation
• Configuring event sources (S3, SQS, DynamoDB, Kinesis)
• Implementing Lambda layers and cold start optimization
• Integrating Lambda with API Gateway
• Deploying Lambda infrastructure with validation

Deployment Workflow

Always follow this deployment workflow:

1. Validate Template

aws cloudformation validate-template --template-body file://template.yaml

2. Deploy Stack

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name my-lambda-stack \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides Environment=prod

3. Monitor Stack Events

aws cloudformation describe-stack-events \
  --stack-name my-lambda-stack \
  --query 'StackEvents[?ResourceStatus==`CREATE_FAILED`||ResourceStatus==`UPDATE_FAILED`]'

4. Verify Resources

aws lambda get-function --function-name my-lambda-stack-function
aws cloudformation describe-stacks --stack-name my-lambda-stack \
  --query 'Stacks[0].StackStatus'

5. Rollback on Failure

aws cloudformation delete-stack --stack-name my-lambda-stack
aws logs describe-log-groups --log-group-name-prefix "/aws/lambda/my-lambda"

Instructions

Follow these steps to create Lambda functions with CloudFormation:

1. Define Lambda Function Parameters

Specify runtime, memory, timeout, and environment variables:

Parameters:
  FunctionMemory:
    Type: Number
    Default: 256
    AllowedValues:
      - 128
      - 256
      - 512
      - 1024
      - 2048
    Description: Lambda function memory in MB

  FunctionTimeout:
    Type: Number
    Default: 30
    MinValue: 1
    MaxValue: 900
    Description: Function timeout in seconds

  Runtime:
    Type: String
    Default: nodejs20.x
    AllowedValues:
      - nodejs20.x
      - python3.11
      - java21
      - dotnet8
      - go1.x
    Description: Lambda runtime environment

2. Create Lambda Function

Define the basic function configuration:

Resources:
  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub "${AWS::StackName}-function"
      Runtime: !Ref Runtime
      Handler: index.handler
      Role: !Ref ExecutionRole
      MemorySize: !Ref FunctionMemory
      Timeout: !Ref FunctionTimeout
      Code:
        S3Bucket: !Ref CodeBucket
        S3Key: !Ref CodeKey
      Environment:
        Variables:
          LOG_LEVEL: INFO
          DATABASE_URL: !Ref DatabaseUrl
      Tags:
        - Key: Environment
          Value: !Ref Environment

3. Configure Execution Role

Apply least privilege IAM policies:

Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: S3ReadAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource: !Sub "${DataBucket.Arn}/*"

4. Add Event Sources

Configure triggers for Lambda invocation:

Resources:
  # S3 event source
  S3EventSource:
    Type: AWS::Lambda::EventSourceMapping
    Properties:
      EventSourceArn: !GetAtt DataBucket.Arn
      FunctionName: !Ref LambdaFunction

  # SQS event source
  SQSEventSource:
    Type: AWS::Lambda::EventSourceMapping
    Properties:
      EventSourceArn: !GetAtt Queue.Arn
      FunctionName: !Ref LambdaFunction
      BatchSize: 10
      MaximumBatchingWindowInSeconds: 5

5. Configure API Gateway Integration

Set up REST or HTTP API integration:

Resources:
  # HTTP API integration
  HttpApi:
    Type: AWS::ApiGatewayV2::Api
    Properties:
      Name: !Sub "${AWS::StackName}-api"
      ProtocolType: HTTP
      Target: !Ref LambdaFunction

  ApiIntegration:
    Type: AWS::ApiGatewayV2::Integration
    Properties:
      ApiId: !Ref HttpApi
      IntegrationType: AWS_PROXY
      IntegrationUri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaFunction.Arn}/invocations"

6. Implement Versioning and Aliases

Create function versions and aliases:

Resources:
  LambdaVersion:
    Type: AWS::Lambda::Version
    Properties:
      FunctionName: !Ref LambdaFunction
      Description: !Sub "Version ${AWS::StackName} v1"

  LambdaAlias:
    Type: AWS::Lambda::Alias
    Properties:
      FunctionName: !Ref LambdaFunction
      FunctionVersion: !GetAtt LambdaVersion.Version
      Name: live

7. Configure Monitoring

Enable CloudWatch logging and X-Ray tracing:

Resources:
  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      LoggingConfig:
        LogGroup: !Ref LogGroup
      TracingConfig:
        Mode: Active

  LogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/aws/lambda/${LambdaFunction}"
      RetentionInDays: 7

8. Set Up Dead Letter Queue

Configure DLQ for failed invocations:

Resources:
  DeadLetterQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Sub "${AWS::StackName}-dlq"

  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      DeadLetterConfig:
        TargetArn: !GetAtt DeadLetterQueue.Arn

Examples

Complete Lambda Stack Template

AWSTemplateFormatVersion: '2010-09-09'
Description: Lambda function with monitoring and DLQ

Parameters:
  FunctionMemory:
    Type: Number
    Default: 256
    AllowedValues: [128, 256, 512, 1024]
  FunctionTimeout:
    Type: Number
    Default: 30

Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal: { Service: lambda.amazonaws.com }
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub "${AWS::StackName}-function"
      Runtime: nodejs20.x
      Handler: index.handler
      Role: !GetAtt ExecutionRole.Arn
      MemorySize: !Ref FunctionMemory
      Timeout: !Ref FunctionTimeout
      Code:
        S3Bucket: !Ref CodeBucket
        S3Key: !Ref CodeKey
      Environment:
        Variables:
          LOG_LEVEL: INFO

  LambdaVersion:
    Type: AWS::Lambda::Version
    Properties:
      FunctionName: !Ref LambdaFunction

  LambdaAlias:
    Type: AWS::Lambda::Alias
    Properties:
      FunctionName: !Ref LambdaFunction
      FunctionVersion: !GetAtt LambdaVersion.Version
      Name: live

Outputs:
  FunctionArn:
    Value: !GetAtt LambdaFunction.Arn
  FunctionName:
    Value: !Ref LambdaFunction

Best Practices

Performance Optimization

• Use SnapStart for Java functions to eliminate cold starts
• Use provisioned concurrency for critical functions requiring low latency
• Keep deployment packages small (< 50 MB zipped)
• Optimize memory size based on function requirements
• Use appropriate timeout values (avoid maximum timeout)
• Configure reserved concurrency to prevent throttling

Cost Optimization

• Right-size memory allocation for cost efficiency
• Use provisioned concurrency strategically (adds cost when idle)
• Monitor Lambda duration and optimize for faster execution
• Use ephemeral storage (/tmp) efficiently
• Clean up unused Lambda functions and versions
• Consider Lambda PowerTuning for optimal memory/power configuration

Security