AWS Budget action for Lambda function

0

Hello folks, Hope you are well and safe and also hope that this questions don't gonna be an already asked question.

I'm here to ask you a brief explanation on how can I stop calling Lambda function when a budget alert (both Actual then Forecasted) is over passed? I'll try to explain better my self: I want to avoid situation where, for an error in Development env, the system call many times a Lambda function. I've setup 3 alert, but I want to add action that made inactive/no-responsive the calling to Lambda function. Is there a way to achieve this behaviour?

Best regards.

asked 2 years ago1057 views
2 Answers
0

Hello, AWS Budget Actions are what you are looking for. So on top of a notification you can allow Budget Actions to apply an IAM policy in your account to block something from running. i.e. remove permission from Lambda usage via an SCP being added to your accounts: https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-controls.html#budgets-action-role

You can apply it to the Lambda itself too if you script it, this could be used to apply an IAM policy to your Lambda that denies the invoke permissions. Here's some info on Lambda policies. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.IAM.LambdaCreatePolicy.html

profile pictureAWS
EXPERT
Rob_H
answered 2 years ago
0

Good question.

This could be done via Budget Actions.

Rob_H has some good recommendations. Keep in mind:

  • SCPs (Service Control Policies) would require usage of AWS Organizations and familiarity with how SCPs work/get applied to accounts. That would also require access to your company's Organizations and SCP Management (which could be complex).
  • You could apply an IAM Policy which would not require AWS Organizations, but this would need to be applied wherever the Lambda is being invoked from. For this, you could simply apply an extra deny policy to your developer users(s) and/or role(s) - but keep in mind that you don't want the developers to be able to detach/re,ove the policy.
  • Another IAM Policy could be to apply a broad Deny to the Lambda Execution Role (this works best if the Lambda is within a VPC), and would fail to spin up from lack of networking permissions (https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html). This would not be ideal as the lambda would kick off and immediately fail.
jsonc
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions