The best approach is to use API Gateway, and sit the lambdas behind specific routes (I’m guessing you’re using the direct lambda invoke urls at the moment?). Allow the lambda to be invoked by the API Gateway (not the caller) IAM credentials.

Then you can neatly put an access policy in front of the various routes. So prod routes all have allow all, and dev routes you can allow by IP, header value, etc. As the block happens in front of APIG you won’t get charged https://stackoverflow.com/a/74674307/5746996