← knowledge.oriz.in

AWS Lambda EXCEPTION to no-card-on-file rule

rule rulesbillingfree-tierawsaws-lambdaexceptionserverless

AWS Lambda EXCEPTION to no-card-on-file rule

User-approved, explicit, narrow exception to no-card-on-file. AWS Lambda is admitted as the 4th-rail fallback in the family's serverless chain.

Why this exception exists

The 4-rail fallback chain for serverless functions (2026-06-23 order):

  1. Cloudflare Worker (primary; 100K req/day, 10 ms CPU per invocation; no card)
  2. Deno Deploy (secondary; 1M req/mo, 15 CPU-h/mo, 350 GB-h memory; no card)
  3. AWS Lambda (tertiary; user-approved exception — 1M req/mo + 400K GB-sec/mo perpetual; card required)
  4. Render Free (quaternary; 750 inst-h/mo, 15-min idle spin-down; no card)

Order changed 2026-06-23: Lambda was 4th; promoted to 3rd because (a) no cold-sleep penalty (Render sleeps after 15 min idle), (b) Lambda 1M req/mo is the family's biggest free quota, (c) AWS infrastructure is genuinely uncorrelated with CF/Deno. Render stays in the chain as the truly-last-resort rail when even Lambda is unreachable (rare but possible — AWS region-wide outage).

Four independent rails give the family meaningful resilience for critical serverless paths. A possible 5th candidate (no-card alternative) is Koyeb's free instance (512 MB RAM / 0.1 vCPU / 2 GB SSD) — replacing Fly.io, which killed its free tier in 2024-2025.

The specific compromise

AWS account creation requires a valid payment method on both the Free Plan and the Paid Plan (AWS Free Tier FAQ Q10, verified 2026-06-23). This nominally violates no-card-on-file. The user has explicitly accepted this compromise because:

  1. Lambda quota is genuinely perpetual within an active AWS account. 1M req/mo + 400K GB-sec/mo is listed under "30+ Always Free services" — not a promotional 12-month trial.
  2. Charged $0 if staying inside the quota. No silent escalation, no quota-overflow charges if you architect for headroom (per never-hit-quotas).
  3. Spending alarms + budget caps + Service Quotas can be wired to harden against runaway. (Not bulletproof — see no-card-on-file on bill-shock incidents — but the 3rd-rail role limits exposure.)
  4. 3rd rail only. This is a fallback, not a primary. Traffic only reaches Lambda if rails 1-2 both fail simultaneously.

NEW 2026 trap — AWS Free Plan auto-closes after 6 months

AWS restructured the free tier in 2025-2026. New accounts now choose between:

To keep the Lambda perpetual free quota past month 6, the AWS account MUST be on the Paid Plan. This means:

Sources verified 2026-06-23:

Scope — Lambda ONLY

This exception does NOT extend to any other AWS service. Specifically EXCLUDED:

Enforcement

Hardening required when wiring Lambda

When/if Lambda is actually deployed as the 3rd rail:

  1. Sign up on the Paid Plan (NOT Free Plan) — Free Plan auto-closes at 6 months and you lose the perpetual quota. Paid Plan with $0 usage inside Always-Free quotas is still $0/mo.
  2. Budget alarm at $1/mo. AWS Budgets is free for the first two budgets. Wire SNS → email.
  3. Service Quotas set to floor (1M req/mo) — request quota DECREASE so even a runaway can't escape free tier.
  4. Reserved concurrency cap on every Lambda function (e.g., 10) to box-in burst behaviour.
  5. CloudWatch billing alarm as backstop ($5 hard alarm, separate from budgets).
  6. Provisioned concurrency: NEVER. That's how the free tier breaks.
  7. Lambda@Edge: NEVER. Use CF Workers instead.

Why this is logged as a rule, not a one-off

This is a permanent, family-wide exception. Future agents reading no-card-on-file will see Lambda mentioned in free-hosting-providers/serverless-functions.md as KEEP-EXCEPTION rather than DROP, and need a rule file to trace the authority for that delta. This file is that authority.

If the user later revokes this exception, mark this file status: superseded with a pointer to the revoking conversation; do NOT delete it (audit trail).

See also