When dealing with AWS services it's generally a bad idea / almost impossible to get an authoritative set of IP addresses for a particular service unless it is explicitly called out in the ip-ranges.json file that we publish.
In the case of sts (sts.us-east-1.amazonaws.com, sts.us-east-2.amazonaws.com, etc etc etc) these are not called out explicitly and aren't part of EC2.
Instead I'd recommend configuring a proxy host that looks at the requested domain, and allowlists the sts endpoint(s) they'd like to access.
So add a squid proxy to the VPC in a public subnet configured to allowlist the sts endpoint(s) they want to communicate with. Configure the Lambda function to launch in the VPC, and use the IP address(s) / ELB of the Squid Proxy to proxy your STS calls.
What do I need to allow for my Security group to receive inbound traffic from SQS in lambda?asked 9 hours ago
Direct Connect Hide VPC CIDR Blocks from BGP PeerAccepted Answerasked 3 years ago
EC2 to VPC migration -> can't tell what service we need to migrateasked 9 days ago
Should I create IAM role to allow AWS service send events to my default busasked 2 years ago
Make Lambda Function Urls to be accessible within the VPC only.asked 5 months ago
Allow Lambda to Access AWS Services+VPC+Internetasked 3 months ago
Calling Private API from Lambda in VPCAccepted Answerasked 2 years ago
Is STS part of EC2 ip-ranges CIDR?Accepted Answerasked 5 years ago
Static IP for lambdaAccepted Answerasked a year ago
Do we need VPC Endpoints for SNS and SQS if data not originating from any VPC and directly landing in SNS from external sourceasked 8 months ago