AWS::Lambda::Function - New capability - `FileSystemConfigs` needs `VpcConfig`

[r-heimann]

Is this feature request related to a new rule or cfn-lint capabilities?

New capability

Describe the feature you'd like to request

When trying to create a Lambda Function using FileSystemConfigs cfn-lint currently doesn't give an error if no VpcConfig is specified:

AWSTemplateFormatVersion: 2010-09-09
Description: Test


Resources:
  EFSVolume:
    Type: AWS::EFS::FileSystem


  EFSMountTarget:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !GetAtt EFSVolume.FileSystemId
      SubnetId: <subnet>
      SecurityGroups:
        - !GetAtt EFSSecurityGroup.GroupId


  EFSSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Security Group"
      VpcId: <vpc>
      # SecurityGroupIngress:
      #   - Description: "Lambda"
      #     IpProtocol: tcp
      #     FromPort: 2049
      #     ToPort: 2049
      #     SourceSecurityGroupId: !GetAtt LambdaSecurityGroup.GroupId


  EFSAccessPoint:
    Type: AWS::EFS::AccessPoint
    Properties:
      FileSystemId: !GetAtt EFSVolume.FileSystemId


  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      # Policies:
      #   - PolicyName: "InlinePolicy"
      #     PolicyDocument:
      #       Version: 2012-10-17
      #       Statement:
      #       Action: sts:AssumeRole
      #         - Sid: "ENIAccess"
      #           Effect: Allow
      #           Action:
      #             - ec2:CreateNetworkInterface
      #             - ec2:DescribeNetworkInterfaces
      #             - ec2:DeleteNetworkInterface
      #           Resource: "*"


  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Role: !GetAtt LambdaExecutionRole.Arn
      Handler: index.lambda_handler
      Runtime: python3.13
      # VpcConfig:
      #   SecurityGroupIds:
      #     - !GetAtt LambdaSecurityGroup.GroupId
      #   SubnetIds:
      #     - <subnet>
      FileSystemConfigs:
        - Arn: !GetAtt EFSAccessPoint.Arn
          LocalMountPath: /mnt/efs
      Code:
        ZipFile: |
          def lambda_handler(event, context):
            print("Test")


  # LambdaSecurityGroup:
  #   Type: AWS::EC2::SecurityGroup
  #   Properties:
  #     GroupDescription: "SecurityGroup"
  #     VpcId: <vpc>

Describe the solution you'd like

cfn-lint should give the user an error if no VpcConfig is specified.

Additional context

CloudFormation error message:

Function must be configured to execute in a VPC to reference access point arn:aws:elasticfilesystem:...
Please update the function configuration to include VPC subnets and security groups.

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request

Would this feature include a breaking change?

• ⚠️ This feature might incur a breaking change