I have a bunch of lambda functions in my AWS account that are used for day-to-day internal operations, which should be invoked by only particular group of users in my account. These functions should not be accessible from outside.
I have created a portfolio in AWS Service Catalog with these lambda functions as separate products and granted access to the specific group and everything works perfectly fine.
I was wondering, if this is considered as a good practice.
Yes you can do this with Service Catalog if you're using that service in general as a way for consuming services within your account. Alternatively and probably the most common pattern you'll see out there is doing it via IAM policies on the IAM users or roles that your users use to log into the Management Console.
I'm not quite sure what you mean by "These functions should not be accessible from outside." as functions aren't accessible outside of the account by default i.e. from someone not part of your AWS account. A function can only be invoked if there's an IAM role granting the principal the
lambda:invokeaction. That's an explicit action that someone needs to do for that policy to exist.So yes what you're doing is a viable option and there's another one as well, all really depends on whether or not you're already invested in Service Catalog. I'd say if you're ONLY going to be using Service Catalog for this, the IAM option may be easier and more lightweight but if you're already using SC then go with the route you've outlined.