I followed this article to use Lambda and SNS to manage my Security Group for allowing traffic from CloudFront. After setting it up for multiple accounts, I noticed that the number of inbound rules in each account differs, with some having 50+ rules and others having 100+. However, the number of rules doesn't seem to correspond with the IP ranges.
I've already checked that the maximum number of rules per Security Group is 200 and that the Lambda function didn't timeout. Has anyone else encountered this issue, or is it normal to have varying numbers of inbound rules for the same Security Group across different accounts?
Looking at the code for the Lambda function, I would expect them to be the same for every account. I thought they might be different depending on the region, but that doesn't appear to be the case.
HOWEVER, you no longer need to do this! The blog post you are following is from 2020, and as of Feb 2022 Amazon manages this list for you. All you have to do is add the managed prefix list com.amazonaws.global.cloudfront.origin-facing in a single rule in your security group.