Unable to restrict Lambda actions based on private IP addresses in a service control policy | by Teri Radichel | Cloud Security | September 2023


ACM.313 IPAddress and NotIPAddress conditions do not work for Lambda on private IP addresses in an AWS SCP

Part of my series on Automation of cybersecurity measures. Container security. Lambda. NOTNetwork Security. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last article, I explained how to add network restrictions to Lambda functions within an AWS organizational unit (OU) at a specific public IP address.

In this article, I’ll finally show you how to restrict access to call Lambda functions in an account on a private network.

Remember that I have a separate VPC that I run an EC2 instance on. I have my Lambda functions in a private VPC. To allow my EC2 instance to access the Lambda service with a private VPC, I need to add a VPC endpoint for Lambda to my EC2 VPC. I’m just going to do it manually for this test.

Try invoking the lambda function again using the Invoke.sh script from previous posts.

With the restrictions in place regarding the public IP address of the EC2 instance added in the last message, the call fails. For what?

Network endpoints send traffic over private routes

Once you add that all traffic from this VPC takes the private route. In other words, after attaching the Lambda endpoint to my VPC, traffic to the Lambda service from my EC2 instance is directed to Lambda’s private IP addresses from my EC2 instance’s private IP address.

You can check it as follows.

Go to the VPC dashboard.

Click Endpoints.

Mouse over your endpoint’s network interfaces.

Leave a comment