AWS Lambda now provides IAM condition keys for VPC settings

Posted on: Aug 10, 2020

You can now govern the virtual private cloud (VPC) settings for your Lambda functions using IAM condition keys. Using these condition keys, you can enforce that users only deploy functions that are connected to a VPC. VPC-enabled functions send all traffic through your VPC and abide by your VPC’s network controls. You can use these network controls to define where your functions can connect. You can also restrict access to network locations, including the public internet.

You can use the new condition keys in Identity and Access Management (IAM) policies when granting permissions to create and update functions. The three new condition keys for VPC settings – lambda:VpcIds, lambda:SubnetIds, and lambda:SecurityGroupIds can be used to specify the one or more allowed VPCs, subnets, and security groups respectively. If users try to create a function with VPC settings that are not allowed, Lambda rejects the operation.  

The new condition keys for VPC settings are available in all AWS Regions where Lambda is available, with the exception of the AWS China Regions. To learn more about the new condition keys, read our blog or see Using IAM condition keys for VPC settings in the Lambda Developer Guide. To learn more about using IAM condition keys, see IAM JSON Policy Elements: Condition in the IAM User Guide.