Posted On: Sep 1, 2020

You can now govern the virtual private cloud (VPC) settings for your Lambda functions using IAM condition keys. Using these condition keys, you can enforce that users only deploy functions that are connected to a VPC. VPC-enabled functions send all traffic through your VPC and abide by your VPC’s network controls. You can use these network controls to define where your functions can connect. You can also restrict access to network locations, including the public internet.  

You can use the new condition keys in Identity and Access Management (IAM) policies when granting permissions to create and update functions. The three new condition keys for VPC settings – lambda:VpcIds, lambda:SubnetIds, and lambda:SecurityGroupIds can be used to specify the one or more allowed VPCs, subnets, and security groups respectively. If users try to create a function with VPC settings that are not allowed, Lambda rejects the operation.  

The new condition keys for VPC settings are available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about the new condition keys, see Resource and Conditions for Lambda operations in the Lambda Developer Guide. To learn more about using IAM condition keys, see IAM JSON Policy Elements: Condition in the IAM User Guide.