Use a VPC with tunnel/route back to corp DB, connect Lambda to VPC. AWS has fine grain controls and you can setup cloudtrail to log "all current and future" functions to ensure you log all Lambda operations. FW logs at corp side quite usable as source IP is static.
Use a VPC with tunnel/route back to corp DB, connect Lambda to VPC. AWS has fine grain controls and you can setup cloudtrail to log "all current and future" functions to ensure you log all Lambda operations. FW logs at corp side quite usable as source IP is static.
So, that allows tracking and audit but not an active defense. I was able to find the official solution. https://aws.amazon.com/blogs/architecture/expose-aws-lambda-function-behind-static-ip-when-a-dns-cannot-be-managed/