1 Answer
- Newest
- Most votes
- Most comments
1
When communicating with AWS services to create, update, delete or otherwise control them you communicate with the service endpoints. For CloudFront, the service endpoints are different from the Point of Presence (POP) endpoints. The IP prefix range you're using is for the POPs, not the service endpoints.
Service endpoints are listed in the documentation and in this case (because CloudFront is a global service) you probably want to allow access to cloudfront.amazonaws.com
.
Edit: If your intention is to have the Lambda function only access specific functions in the CloudFront API (in this case, invalidation) then a better was is to use an IAM policy for the Lambda function so that is the only AWS service and function that it can call.
Relevant content
- asked 3 months ago
- asked 4 years ago
- asked 5 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
I tried getting all IP address from https://ip-ranges.amazonaws.com/ip-ranges.json tagged as CLOUDFRONT (144 IPs) and allowing HTTPS to outbound. But still getting a timeout.
If I do nslookup cloudfront.amazonaws.com from a server in the same subnet as the lambda, I get the IP 54.239.29.51 which is not listed in the ip-ranges.json
The IP ranges from ip-ranges.json file are the ones for POP, not for the service itself. It is better to allow this communication using domain name, you can do it using Network Firewall or DNS Firewall. Otherwise you will have to allow the entire IP ranges from this file, which is huge and will hit the limit for security group.