We have AWS accounts created and managed using control tower service.
The requirement is to restrict internet access from lambda even it is not attached to any VPC.
By default lambda functions can connect to internet if it is not connected to any VPC.
How do we enforce restricting internet access to users using lambda functions ?
2
Answers
We have addressed this requirement by creating a service control policy with below statements and attached to the OU.
It enforces the users to select a VPC, subnet and security group while creating/updating the lambda function. With this you can make sure the lambda functions are always under your VPC.
Ref: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-conditions
Refer the above AWS documentation to find the policy statements to enable restriction at different levels like subnet, Security group and VPC.
Lambda is always in a VPC,just when you don’t specify a VPC it’s assigned to default one which has internet access configured.
Create a new VPC, by default it won’t have internet access. And assign your functions to it.