cfsgupdater Lambda that updates SGs with ingress only for current Cloudfront IPs This is a Go port/adaptation of an AWS Sample lambda. See: update_security_groups_lambda You should easily be able to adjust this example to fit your own needs.