- Newest
- Most votes
- Most comments
First: Dynamically executing code submitted by users is a massive security risk. So think very carefully before you do that.
Given that the Lambda function is your code the easiest way to do this is to have a list of domains that are allowed to be connected to and parse the user code so that only those domains are allowed. That's not actually "easy" but it's probably the best solution.
If your Lambda function is not connected to a VPC then there is no way to filter the traffic from it. But if it is connected to a VPC then you could send traffic from the Lambda function via a firewall of some sort. However, in today's world most traffic is going to be encrypted; you can filter based on the SNI in the HTTPS connection header but doing this introduces a bunch of costs - firewalls, NAT Gateways, etc. So it's less expensive to go with the first option - parse the code.
First, Lambda doesn't have ways to limit the outbound traffic. You may be able to do that by attaching the functions to a VPC and then routing all traffic via some proxy that checks and limits the communication.
Saying that, and given that the you want to run your customer's code, there is an option to use deno. Deno is a secure runtime for JavaScript and TypeScript. When you invoke deno, you can specify which destinations it can communicate with. Using this approach your Lambda function will download your users' code and invoke deno as a separate processes, with the allowed list of destinations. You can also create a custom deno run-time instead.
Relevant content
- asked a year ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago