- Newest
- Most votes
- Most comments
Hello, AWS Budget Actions are what you are looking for. So on top of a notification you can allow Budget Actions to apply an IAM policy in your account to block something from running. i.e. remove permission from Lambda usage via an SCP being added to your accounts: https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-controls.html#budgets-action-role
You can apply it to the Lambda itself too if you script it, this could be used to apply an IAM policy to your Lambda that denies the invoke permissions. Here's some info on Lambda policies. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.IAM.LambdaCreatePolicy.html
Good question.
This could be done via Budget Actions.
Rob_H has some good recommendations. Keep in mind:
- SCPs (Service Control Policies) would require usage of AWS Organizations and familiarity with how SCPs work/get applied to accounts. That would also require access to your company's Organizations and SCP Management (which could be complex).
- You could apply an IAM Policy which would not require AWS Organizations, but this would need to be applied wherever the Lambda is being invoked from. For this, you could simply apply an extra deny policy to your developer users(s) and/or role(s) - but keep in mind that you don't want the developers to be able to detach/re,ove the policy.
- Another IAM Policy could be to apply a broad Deny to the Lambda Execution Role (this works best if the Lambda is within a VPC), and would fail to spin up from lack of networking permissions (https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html). This would not be ideal as the lambda would kick off and immediately fail.
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago