A start-up firm has created 4 VPC’s – VPC-1, VPC-2, VPC-3 & VPC-4 for deploying its AWS resources. VPC-3 & VPC-4 are used for production environments while VPC-1 & VPC-2 are used for test environments. The Development Team needs to test a new serverless web application using AWS Lambda. IT Head wants you to ensure that Development team users only use VPC-1 & VPC-2 for Lambda functions & no resources are being used from VPC-3 & VPC-4.
Which of the following settings can be configured to meet this requirement?

Answer options:

A.Use IAM Condition keys to specify VPC to be used by Lambda function.
B.Specify VPC ID of VPC-1 & VPC-2 to be used as input parameters to the CreateFunction request.
C.Deny VPC ID of VPC-3 & VPC-4 to be denied as input parameter to the CreateFunction request.
D.Use IAM "aws:SourceVpce" to specify VPC to be used by Lambda function.

Correct Answer: A
AWS Lambda uses Condition keys to specify additional permission controls for the Lambda function. Following condition keys are supported in IAM policies.
a. lambda:VpcIds - To allow or deny specific VPC to be used by Lambda functions.
b. lambda: SubnetIds- To allow or deny a specific subnet in a VPC to be used by Lambda functions.
c. lambda:SecurityGroupIds- To allow or deny specific security groups to be used by Lambda functions.
Option B & C are incorrect as VPC ID cannot be specified or denied as an input parameter to the Lambda Function.
Option D is incorrect as "aws:SourceVpce" is not supported by Lambda Function.
For more information on specifying VPC for Lambda Function, refer to the following URL-
https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html