Automatically update AWS security group egress to access S3

1. Create a lambda function with the below python script. This script will add new AWS’s S3 IP and revoke old S3 IP over port 443.

2. Create an IAM lambda execution role with the below policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1553157038113",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

3. Configure a lambda trigger. AWS publishes an SNS topic whenever there is a change in their IpSpace. Subscribe the lambda function to the sns topic below.

arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged

That’s it! All done. Now your EC2 box will have access to S3 at any time.