Managing AWS Lambda functions - AWS Lambda

Managing AWS Lambda functions

You can use the AWS Lambda API or console to create functions and configure function settings. Basic function settings include the description and the execution role that you specify when you create a function in the Lambda console. You can configure more settings after you create a function, or use the API to modify configuration settings such as the handler name, memory allocation, and security groups during creation.

To keep secrets out of your function code, store them in the function's configuration and read them from the execution environment during initialization. Environment variables are always encrypted at rest, and can be encrypted client-side as well. Use environment variables to make your function code portable by removing connection strings, passwords, and endpoints for external resources.

Versions and aliases are secondary resources that you can create to manage function deployment and invocation. Publish versions of your function to store its code and configuration as a separate resource that cannot be changed, and create an alias that points to a specific version. Then you can configure your clients to invoke a function alias, and update the alias when you want to point the client to a new version, instead of updating the client.

As you add libraries and other dependencies to your function, creating and uploading a deployment package can slow down development. Use layers to manage your function's dependencies independently and keep your deployment package small. You can also use layers to share your own libraries with other customers and use publicly available layers with your functions.

To use your Lambda function with AWS resources in an Amazon VPC, configure it with security groups and subnets to create a VPC connection. Connecting your function to a VPC lets you access resources in a private subnet such as relational databases and caches. You can also create a database proxy for MySQL and Aurora DB instances. A database proxy enables a function to reach high concurrency levels without exhausting database connections.

To use code signing with your Lambda function, configure it with a code-signing configuration. When a user attempts to deploy a code package, Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.

For more information about designing Lambda applications, see Application design in the Lambda operator guide.