How to restrict internet access to AWS lambda - PhpOut

sajeshpp
October 29, 2022
253 views
0 votes
2 Answers

We have AWS accounts created and managed using control tower service.

The requirement is to restrict internet access from lambda even it is not attached to any VPC.

By default lambda functions can connect to internet if it is not connected to any VPC.

How do we enforce restricting internet access to users using lambda functions ?

Tags: amazon-web-services aws-lambda

Answers

Chosen as BEST ANSWER
- sajeshpp
- November 14, 2022 at 4:02 pm
- 0 votes
0
We have addressed this requirement by creating a service control policy with below statements and attached to the OU.

It enforces the users to select a VPC, subnet and security group while creating/updating the lambda function. With this you can make sure the lambda functions are always under your VPC.

Ref: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-conditions
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceVPCFunction",
      "Action": [
          "lambda:CreateFunction",
          "lambda:UpdateFunctionConfiguration"
       ],
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "Null": {
           "lambda:VpcIds": "true"
        }
      }
    }
  ]
}
```
Refer the above AWS documentation to find the policy statements to enable restriction at different levels like subnet, Security group and VPC.

(Edit)

- karjan
- October 30, 2022 at 6:55 pm
- 0 votes
0
Lambda is always in a VPC,just when you don’t specify a VPC it’s assigned to default one which has internet access configured.

Create a new VPC, by default it won’t have internet access. And assign your functions to it.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.