AWS CloudFormation Lambda Functions
Overview
Create production-ready Lambda functions using CloudFormation templates with validation and deployment workflows.
When to Use
- Creating Lambda functions with CloudFormation
- Configuring event sources (S3, SQS, DynamoDB, Kinesis)
- Implementing Lambda layers and cold start optimization
- Integrating Lambda with API Gateway
- Deploying Lambda infrastructure with validation
Deployment Workflow
Always follow this deployment workflow:
1. Validate Template
aws cloudformation validate-template --template-body file://template.yaml
2. Deploy Stack
aws cloudformation deploy \
--template-file template.yaml \
--stack-name my-lambda-stack \
--capabilities CAPABILITY_IAM \
--parameter-overrides Environment=prod
3. Monitor Stack Events
aws cloudformation describe-stack-events \
--stack-name my-lambda-stack \
--query 'StackEvents[?ResourceStatus==`CREATE_FAILED`||ResourceStatus==`UPDATE_FAILED`]'
4. Verify Resources
aws lambda get-function --function-name my-lambda-stack-function
aws cloudformation describe-stacks --stack-name my-lambda-stack \
--query 'Stacks[0].StackStatus'
5. Rollback on Failure
aws cloudformation delete-stack --stack-name my-lambda-stack
aws logs describe-log-groups --log-group-name-prefix "/aws/lambda/my-lambda"
Instructions
Follow these steps to create Lambda functions with CloudFormation:
1. Define Lambda Function Parameters
Specify runtime, memory, timeout, and environment variables:
Parameters:
FunctionMemory:
Type: Number
Default: 256
AllowedValues:
- 128
- 256
- 512
- 1024
- 2048
Description: Lambda function memory in MB
FunctionTimeout:
Type: Number
Default: 30
MinValue: 1
MaxValue: 900
Description: Function timeout in seconds
Runtime:
Type: String
Default: nodejs20.x
AllowedValues:
- nodejs20.x
- python3.11
- java21
- dotnet8
- go1.x
Description: Lambda runtime environment
2. Create Lambda Function
Define the basic function configuration:
Resources:
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-function"
Runtime: !Ref Runtime
Handler: index.handler
Role: !Ref ExecutionRole
MemorySize: !Ref FunctionMemory
Timeout: !Ref FunctionTimeout
Code:
S3Bucket: !Ref CodeBucket
S3Key: !Ref CodeKey
Environment:
Variables:
LOG_LEVEL: INFO
DATABASE_URL: !Ref DatabaseUrl
Tags:
- Key: Environment
Value: !Ref Environment
3. Configure Execution Role
Apply least privilege IAM policies:
Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: S3ReadAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource: !Sub "${DataBucket.Arn}/*"
4. Add Event Sources
Configure triggers for Lambda invocation:
Resources:
# S3 event source
S3EventSource:
Type: AWS::Lambda::EventSourceMapping
Properties:
EventSourceArn: !GetAtt DataBucket.Arn
FunctionName: !Ref LambdaFunction
# SQS event source
SQSEventSource:
Type: AWS::Lambda::EventSourceMapping
Properties:
EventSourceArn: !GetAtt Queue.Arn
FunctionName: !Ref LambdaFunction
BatchSize: 10
MaximumBatchingWindowInSeconds: 5
5. Configure API Gateway Integration
Set up REST or HTTP API integration:
Resources:
# HTTP API integration
HttpApi:
Type: AWS::ApiGatewayV2::Api
Properties:
Name: !Sub "${AWS::StackName}-api"
ProtocolType: HTTP
Target: !Ref LambdaFunction
ApiIntegration:
Type: AWS::ApiGatewayV2::Integration
Properties:
ApiId: !Ref HttpApi
IntegrationType: AWS_PROXY
IntegrationUri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaFunction.Arn}/invocations"
6. Implement Versioning and Aliases
Create function versions and aliases:
Resources:
LambdaVersion:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref LambdaFunction
Description: !Sub "Version ${AWS::StackName} v1"
LambdaAlias:
Type: AWS::Lambda::Alias
Properties:
FunctionName: !Ref LambdaFunction
FunctionVersion: !GetAtt LambdaVersion.Version
Name: live
7. Configure Monitoring
Enable CloudWatch logging and X-Ray tracing:
Resources:
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
LoggingConfig:
LogGroup: !Ref LogGroup
TracingConfig:
Mode: Active
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/aws/lambda/${LambdaFunction}"
RetentionInDays: 7
8. Set Up Dead Letter Queue
Configure DLQ for failed invocations:
Resources:
DeadLetterQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub "${AWS::StackName}-dlq"
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
DeadLetterConfig:
TargetArn: !GetAtt DeadLetterQueue.Arn
Examples
Complete Lambda Stack Template
AWSTemplateFormatVersion: '2010-09-09'
Description: Lambda function with monitoring and DLQ
Parameters:
FunctionMemory:
Type: Number
Default: 256
AllowedValues: [128, 256, 512, 1024]
FunctionTimeout:
Type: Number
Default: 30
Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal: { Service: lambda.amazonaws.com }
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-function"
Runtime: nodejs20.x
Handler: index.handler
Role: !GetAtt ExecutionRole.Arn
MemorySize: !Ref FunctionMemory
Timeout: !Ref FunctionTimeout
Code:
S3Bucket: !Ref CodeBucket
S3Key: !Ref CodeKey
Environment:
Variables:
LOG_LEVEL: INFO
LambdaVersion:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref LambdaFunction
LambdaAlias:
Type: AWS::Lambda::Alias
Properties:
FunctionName: !Ref LambdaFunction
FunctionVersion: !GetAtt LambdaVersion.Version
Name: live
Outputs:
FunctionArn:
Value: !GetAtt LambdaFunction.Arn
FunctionName:
Value: !Ref LambdaFunction
Best Practices
Performance Optimization
- Use SnapStart for Java functions to eliminate cold starts
- Use provisioned concurrency for critical functions requiring low latency
- Keep deployment packages small (< 50 MB zipped)
- Optimize memory size based on function requirements
- Use appropriate timeout values (avoid maximum timeout)
- Configure reserved concurrency to prevent throttling
Cost Optimization
- Right-size memory allocation for cost efficiency
- Use provisioned concurrency strategically (adds cost when idle)
- Monitor Lambda duration and optimize for faster execution
- Use ephemeral storage (/tmp) efficiently
- Clean up unused Lambda functions and versions
- Consider Lambda PowerTuning for optimal memory/power configuration
Security
- Apply least privilege IAM policies to execution roles
- Encrypt environment variables at rest
- Use VPC endpoints for private AWS service access
- Rotate IAM credentials regularly
- Implement VPC configuration for private function access
- Use AWS KMS for encrypting sensitive data
Reliability
- Configure Dead Letter Queue for async invocations
- Implement retry logic with exponential backoff
- Use CloudWatch alarms for error monitoring
- Test Lambda functions thoroughly before deployment
- Implement circuit breakers for downstream service failures
- Use canary deployments with Lambda aliases
Monitoring and Observability
- Enable CloudWatch Logs for all functions
- Use X-Ray tracing for distributed tracing
- Configure CloudWatch metrics for performance monitoring
- Set up alarms for errors, throttles, and duration
- Use Lambda Insights for debugging
- Monitor concurrent executions and throttling
Versioning and Deployment
- Use Lambda aliases for production environments (live, staging)
- Implement canary deployments with weighted aliases
- Create function versions for immutable deployments
- Use SAM or AWS CDK for simplified Lambda deployments
- Implement blue/green deployments with Lambda aliases
- Test function changes in development environment first
Constraints and Warnings
- Timeout limits: Lambda timeout max is 900 seconds (15 min); set appropriate values to avoid orphaned executions
- Deployment package size: Zipped packages max 50 MB, unzipped max 250 MB (including layers)
- Layer limits: Max 5 layers per function; each layer max 50 MB (unzipped)
- Environment variables: Max 4 KB for all variables; encrypt sensitive values with KMS
- Cold starts: Java and .NET functions have longer cold starts; use SnapStart or Provisioned Concurrency for latency-sensitive workloads
- Concurrent execution: Default limit 1000 per region; request increase for high-traffic functions
- VPC networking: Lambda in VPC adds 10-30 second cold start overhead for first invocation
- IAM permissions: Never use
*in Resource policies; always scope to specific resources - Dead Letter Queue: Required for async invocations; ensure DLQ is in same region as function
- Cost monitoring: Enable billing alerts; Lambda charges per invocation and duration
References
For detailed implementation guidance, see:
- constraints.md - Resource limits (function limits, concurrent execution, timeout, memory), deployment constraints (function size, layer size, environment variables), operational constraints (cold starts, VPC networking, event sources, DLQ), security constraints (execution role, resource policies, VPC endpoints), cost considerations (provisioned concurrency, duration, memory, data transfer), and performance constraints (SnapStart, layer versioning, X-Ray tracing, async invocation)