A Lambda-managed resource that reads data from several services and invokes functions. It is designed for processing high-volume streaming data or messages. List of available services:

• DocumentDB
• DynamoDB
• Kinesis
• MQ
• MSK
• Self-managed Apache Kafka
• SQS

Sends data in batches, and the number of records can be adjusted.

• A dedicated HTTP(S) endpoint for your Lambda function.
• Can be invoked through any HTTP client (web browser, curl, Postman, etc.).
• Use resource-based policies for AuthType AWS_IAM, or use NONE to ignore any additional function URL policies (Lambda function policies are still in effect).
• Can be applied to any alias or version.

Establish a connection between your VPC and Lambda. You can use this connection to invoke your Lambda function without crossing the public internet.

• Event source mapping - Lambda resources created and managed by Lambda, designed for high-volume streaming data.
• Trigger - stored and managed by the service that generates the event, suitable for discrete events and real-time processing.

IaC tools for Lambda:

• AWS CloudFormation - YAML or JSON templates to model and provision an entire infrastructure.
• AWS Serverless Application Model (SAM) - a framework built on top of CloudFormation.
• AWS Cloud Development Kit (CDK) - define infrastructure using a programming language.

The runtime is the environment for the execution of the function.

• If the function is defined as a container image, change the runtime when creating the image.
• If the function is defined as a zip archive, choose the runtime when creating the deployment package.

Lambda reuses environments from previous invocations if possible.

• Memory - between 128 and 10240 MB; CPU is allocated in proportion to memory. Use the Lambda Power Tuning Tool to estimate the right amount of memory.
• Ephemeral storage - between 512 and 10240 MB; all data stored in /tmp is encrypted at rest.
• Compute processor - arm64 (AWS Graviton2 processor) and x86_64 (for x86-based processors).
• Timeout - 3 seconds by default, with a maximum value of 15 minutes.
• Environment variables - adjust function behavior without updating the code.

• VPC - place the function in your VPC; additional permissions are required to assign to the Lambda function to create an ENI. To allow access to the internet, configure VPC resources (security groups, NACLs, IG, etc.).
• Non-VPC - function placed in a VPC managed by AWS with access to the internet.

AWS docs

• Each alias has a unique ARN.
• Can point only to 2 function versions at the same time.
• Can split traffic between 2 versions of the function.

Several AWS services invoke functions asynchronously (e.g., S3, SNS, etc.). You can invoke a function asynchronously using the AWS CLI or SDK.

There is a soft limit on the number of concurrent Lambda function invocations across all functions in an AWS region: 1000.

• Reserved concurrency - reserves a number of concurrent instances that are guaranteed for the function.
• Provisioned concurrency - reserves a number of pre-initialized execution environments (additional cost).

Since provisioned concurrency environments are pre-initialized, they are faster than reserved concurrency.

Why use layers:

• Reduce the size of your deployment packages
• Separate core function logic from dependencies
• Share dependencies across multiple functions
• Use the console code editor

Think of a layer as a collection of libraries and configuration files that you can share across functions.

A version is an immutable snapshot of the function with its configuration. You can change the following settings for a published version:

• Triggers
• Destinations
• Provisioned concurrency
• Asynchronous invocation
• Database connections and proxies

Lambda always creates an unpublished ($LATEST) version for you.

There are 2 main categories of permissions to consider:

• Standard resource-based policy - who (AWS users and entities) can perform what actions on the resource.
• Execution role - what the Lambda function is allowed to do and on which resources. At a minimum, the function should be allowed to send data to CloudWatch Logs.

Sign code artifacts. Lambda performs the following validation checks:

• Integrity – Validates that the code package has not been modified since it was signed.
• Expiry – Validates that the signature of the code package has not expired.
• Mismatch – Validates that the code package is signed with one of the allowed signing profiles for the Lambda function.
• Revocation – Validates that the signature of the code package has not been revoked.