Generate list of IPs used by AWS Lamba

Question

I have an IoT Enterprise button that (when pressed) triggers a Lambda function. The Lambda function sends an API "put" request to my Philips HUE bridge, which turns on (or off) my Living Room lights.

That much is 100% done. Life is good.

My question:
Is there a specific AWS service that is used to "send" the API request?
I'm assuming that the AWS Lambda service performs this action. But maybe not...

I need to create a firewall rule that (only) allows "Lambda servers" to pass-through my firewall.
If the destination IP = my WAN IP.
If the destination port = ##.

I found the following resource, that explains how to list all IPs owned by AWS.
https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

Here is a quote from the reference guide:

service
The subset of IP address ranges. The addresses listed for API_GATEWAY are egress only.
Specify AMAZON to get all IP address ranges (meaning that every subset is also
in the AMAZON subset). However, some IP address ranges are only in the AMAZON subset
(meaning that they are not also available in another subset).

Type: String

Valid values:
AMAZON | AMAZON_CONNECT | API_GATEWAY | CLOUD9 | CLOUDFRONT |
CODEBUILD | DYNAMODB | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR |
ROUTE53 | ROUTE53_HEALTHCHECKS | S3 | WORKSPACES_GATEWAYS

As you can see, "Labda" isn't a valid (service) string value. I suppose I could allow any IP from the "us-east-1" AWS region. However this is (still) too permissive for my liking. (225 subnets) By comparison, if you specify "EC2" as the service, that narrows the list down to 82 subnets.

Thanks (in advance) for your helpful insight!

Answer 1

If you want to limit to a specific set of IPs (outside the AWS Public Zone) you will need to run your Lambda inside your VPC in a private subnet and then assign a NAT Gateway with an EIP.

See more: https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/