diff --git a/main.tf b/main.tf
index 2b1d6b24..754a9ea4 100644
--- a/main.tf
+++ b/main.tf
@@ -36,6 +36,7 @@ module "lambda_slack" {
   slack_new_emoji    = var.slack_new_emoji
   slack_username     = var.slack_username
   environment        = local.env
+  vpc_config         = var.vpc_config
 }
 
 module "lambda" {
@@ -57,6 +58,7 @@ module "lambda" {
   allowed_regions          = var.allowed_regions
   ip_time_limit            = var.ip_time_limit
   environment              = local.env
+  vpc_config               = var.vpc_config
 }
 
 module "lambda_accounts" {
@@ -115,6 +117,7 @@ module "lambda_scan" {
   hackerone_api_token      = var.hackerone_api_token
   environment              = local.env
   production_environment   = local.production_environment
+  vpc_config               = var.vpc_config
 }
 
 module "lambda_takeover" {
@@ -131,6 +134,7 @@ module "lambda_takeover" {
   sns_topic_arn     = module.sns.sns_topic_arn
   dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn
   environment       = local.env
+  vpc_config        = var.vpc_config
 }
 
 module "takeover_role" {
@@ -160,6 +164,7 @@ module "lambda_resources" {
   sns_topic_arn     = module.sns.sns_topic_arn
   dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn
   environment       = local.env
+  vpc_config        = var.vpc_config
 }
 
 module "resources_role" {
@@ -262,6 +267,7 @@ module "lambda_cloudflare" {
   hackerone                = var.hackerone
   hackerone_api_token      = var.hackerone_api_token
   environment              = local.env
+  vpc_config               = var.vpc_config
 }
 
 module "cloudflare_event" {
@@ -373,6 +379,7 @@ module "lambda_scan_ips" {
   hackerone                = var.hackerone
   hackerone_api_token      = var.hackerone_api_token
   environment              = local.env
+  vpc_config               = var.vpc_config
 }
 
 module "accounts_role_ips" {
@@ -408,6 +415,7 @@ module "lambda_accounts_ips" {
   dlq_sns_topic_arn        = module.sns_dead_letter_queue.sns_topic_arn
   state_machine_arn        = module.step_function_ips[0].state_machine_arn
   environment              = local.env
+  vpc_config               = var.vpc_config
 }
 
 module "accounts_event_ips" {
@@ -441,4 +449,5 @@ module "lamdba_stats" {
   security_audit_role_name = var.security_audit_role_name
   external_id              = var.external_id
   environment              = local.env
+  vpc_config               = var.vpc_config
 }
diff --git a/terraform-modules/lambda-cloudflare/main.tf b/terraform-modules/lambda-cloudflare/main.tf
index e88e8e2b..e23f5f8e 100644
--- a/terraform-modules/lambda-cloudflare/main.tf
+++ b/terraform-modules/lambda-cloudflare/main.tf
@@ -71,6 +71,14 @@ resource "aws_lambda_function" "lambda" {
   tracing_config {
     mode = "Active"
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      security_group_ids = vpc_config.value.security_group_ids
+      subnet_ids         = vpc_config.value.subnet_ids
+    }
+  }
 }
 
 resource "aws_lambda_alias" "lambda" {
diff --git a/terraform-modules/lambda-cloudflare/variables.tf b/terraform-modules/lambda-cloudflare/variables.tf
index 78eb1a71..7add939d 100644
--- a/terraform-modules/lambda-cloudflare/variables.tf
+++ b/terraform-modules/lambda-cloudflare/variables.tf
@@ -19,6 +19,18 @@ variable "bugcrowd_state" {}
 variable "hackerone" {}
 variable "hackerone_api_token" {}
 
+variable "vpc_config" {
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+  description = <<EOF
+  Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
+  vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
+  EOF
+  default     = null
+}
+
 variable "state_machine_arn" {
   default = ""
 }
diff --git a/terraform-modules/lambda-resources/main.tf b/terraform-modules/lambda-resources/main.tf
index 10fcdf05..929678ba 100644
--- a/terraform-modules/lambda-resources/main.tf
+++ b/terraform-modules/lambda-resources/main.tf
@@ -45,6 +45,14 @@ resource "aws_lambda_function" "lambda" {
   tracing_config {
     mode = "Active"
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      security_group_ids = vpc_config.value.security_group_ids
+      subnet_ids         = vpc_config.value.subnet_ids
+    }
+  }
 }
 
 resource "aws_lambda_alias" "lambda" {
diff --git a/terraform-modules/lambda-resources/variables.tf b/terraform-modules/lambda-resources/variables.tf
index 0e5c88be..bde87f7b 100644
--- a/terraform-modules/lambda-resources/variables.tf
+++ b/terraform-modules/lambda-resources/variables.tf
@@ -7,6 +7,18 @@ variable "sns_topic_arn" {}
 variable "dlq_sns_topic_arn" {}
 variable "lambdas" {}
 
+variable "vpc_config" {
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+  description = <<EOF
+  Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
+  vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
+  EOF
+  default     = null
+}
+
 variable "state_machine_arn" {
   default = ""
 }
diff --git a/terraform-modules/lambda-scan-ips/main.tf b/terraform-modules/lambda-scan-ips/main.tf
index 2909cb3a..0c01cffc 100644
--- a/terraform-modules/lambda-scan-ips/main.tf
+++ b/terraform-modules/lambda-scan-ips/main.tf
@@ -71,6 +71,14 @@ resource "aws_lambda_function" "lambda" {
   tracing_config {
     mode = "Active"
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      security_group_ids = vpc_config.value.security_group_ids
+      subnet_ids         = vpc_config.value.subnet_ids
+    }
+  }
 }
 
 resource "aws_lambda_alias" "lambda" {
diff --git a/terraform-modules/lambda-scan-ips/variables.tf b/terraform-modules/lambda-scan-ips/variables.tf
index b0cafd55..ebdbf761 100644
--- a/terraform-modules/lambda-scan-ips/variables.tf
+++ b/terraform-modules/lambda-scan-ips/variables.tf
@@ -20,6 +20,18 @@ variable "bugcrowd_state" {}
 variable "hackerone" {}
 variable "hackerone_api_token" {}
 
+variable "vpc_config" {
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+  description = <<EOF
+  Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
+  vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
+  EOF
+  default     = null
+}
+
 variable "timeout" {
   description = "Amount of time your Lambda Function has to run in seconds"
   default     = 900
diff --git a/terraform-modules/lambda-scan/main.tf b/terraform-modules/lambda-scan/main.tf
index 4c72f035..065ff613 100644
--- a/terraform-modules/lambda-scan/main.tf
+++ b/terraform-modules/lambda-scan/main.tf
@@ -69,6 +69,14 @@ resource "aws_lambda_function" "lambda" {
   tracing_config {
     mode = "Active"
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      security_group_ids = vpc_config.value.security_group_ids
+      subnet_ids         = vpc_config.value.subnet_ids
+    }
+  }
 }
 
 resource "aws_lambda_alias" "lambda" {
diff --git a/terraform-modules/lambda-scan/variables.tf b/terraform-modules/lambda-scan/variables.tf
index f01ac674..3b65a96e 100644
--- a/terraform-modules/lambda-scan/variables.tf
+++ b/terraform-modules/lambda-scan/variables.tf
@@ -18,6 +18,18 @@ variable "bugcrowd_state" {}
 variable "hackerone" {}
 variable "hackerone_api_token" {}
 
+variable "vpc_config" {
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+  description = <<EOF
+  Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
+  vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
+  EOF
+  default     = null
+}
+
 variable "timeout" {
   description = "Amount of time your Lambda Function has to run in seconds"
   default     = 900
diff --git a/terraform-modules/lambda-slack/main.tf b/terraform-modules/lambda-slack/main.tf
index fb08239a..6f4e415e 100644
--- a/terraform-modules/lambda-slack/main.tf
+++ b/terraform-modules/lambda-slack/main.tf
@@ -62,6 +62,14 @@ resource "aws_lambda_function" "lambda" {
   tracing_config {
     mode = "Active"
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      security_group_ids = vpc_config.value.security_group_ids
+      subnet_ids         = vpc_config.value.subnet_ids
+    }
+  }
 }
 
 resource "aws_lambda_alias" "lambda" {
diff --git a/terraform-modules/lambda-slack/variables.tf b/terraform-modules/lambda-slack/variables.tf
index 24c0ceee..f0c689e1 100644
--- a/terraform-modules/lambda-slack/variables.tf
+++ b/terraform-modules/lambda-slack/variables.tf
@@ -14,6 +14,18 @@ variable "slack_fix_emoji" {}
 variable "slack_new_emoji" {}
 variable "slack_username" {}
 
+variable "vpc_config" {
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+  description = <<EOF
+  Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
+  vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
+  EOF
+  default     = null
+}
+
 variable "timeout" {
   description = "Amount of time your Lambda Function has to run in seconds"
   default     = 900
diff --git a/terraform-modules/lambda-stats/main.tf b/terraform-modules/lambda-stats/main.tf
index 6ba53a3a..27f62b56 100644
--- a/terraform-modules/lambda-stats/main.tf
+++ b/terraform-modules/lambda-stats/main.tf
@@ -58,6 +58,14 @@ resource "aws_lambda_function" "lambda" {
   tracing_config {
     mode = "Active"
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      security_group_ids = vpc_config.value.security_group_ids
+      subnet_ids         = vpc_config.value.subnet_ids
+    }
+  }
 }
 
 resource "aws_lambda_alias" "lambda" {
diff --git a/terraform-modules/lambda-stats/variables.tf b/terraform-modules/lambda-stats/variables.tf
index 4a91fd2d..0ee0c54d 100644
--- a/terraform-modules/lambda-stats/variables.tf
+++ b/terraform-modules/lambda-stats/variables.tf
@@ -11,6 +11,18 @@ variable "org_primary_account" {}
 variable "security_audit_role_name" {}
 variable "external_id" {}
 
+variable "vpc_config" {
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+  description = <<EOF
+  Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
+  vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
+  EOF
+  default     = null
+}
+
 variable "timeout" {
   description = "Amount of time your Lambda Function has to run in seconds"
   default     = 900
diff --git a/terraform-modules/lambda-takeover/main.tf b/terraform-modules/lambda-takeover/main.tf
index d65272e3..fc458459 100644
--- a/terraform-modules/lambda-takeover/main.tf
+++ b/terraform-modules/lambda-takeover/main.tf
@@ -61,6 +61,14 @@ resource "aws_lambda_function" "lambda" {
   tracing_config {
     mode = "Active"
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      security_group_ids = vpc_config.value.security_group_ids
+      subnet_ids         = vpc_config.value.subnet_ids
+    }
+  }
 }
 
 resource "aws_lambda_alias" "lambda" {
diff --git a/terraform-modules/lambda-takeover/variables.tf b/terraform-modules/lambda-takeover/variables.tf
index bdfd2a28..76fc7198 100644
--- a/terraform-modules/lambda-takeover/variables.tf
+++ b/terraform-modules/lambda-takeover/variables.tf
@@ -7,6 +7,18 @@ variable "memory_size" {}
 variable "sns_topic_arn" {}
 variable "dlq_sns_topic_arn" {}
 
+variable "vpc_config" {
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+  description = <<EOF
+  Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
+  vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
+  EOF
+  default     = null
+}
+
 variable "timeout" {
   description = "Amount of time your Lambda Function has to run in seconds"
   default     = 900
diff --git a/terraform-modules/lambda/main.tf b/terraform-modules/lambda/main.tf
index d54ccdf2..d73b7519 100644
--- a/terraform-modules/lambda/main.tf
+++ b/terraform-modules/lambda/main.tf
@@ -64,6 +64,14 @@ resource "aws_lambda_function" "lambda" {
   tracing_config {
     mode = "Active"
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc_config != null ? [var.vpc_config] : []
+    content {
+      security_group_ids = vpc_config.value.security_group_ids
+      subnet_ids         = vpc_config.value.subnet_ids
+    }
+  }
 }
 
 resource "aws_lambda_alias" "lambda" {
diff --git a/terraform-modules/lambda/variables.tf b/terraform-modules/lambda/variables.tf
index 48ed2743..4601ff9c 100644
--- a/terraform-modules/lambda/variables.tf
+++ b/terraform-modules/lambda/variables.tf
@@ -13,6 +13,18 @@ variable "dlq_sns_topic_arn" {}
 variable "allowed_regions" {}
 variable "ip_time_limit" {}
 
+variable "vpc_config" {
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+  description = <<EOF
+  Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
+  vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
+  EOF
+  default     = null
+}
+
 variable "timeout" {
   description = "Amount of time your Lambda Function has to run in seconds"
   default     = 900
diff --git a/variables.tf b/variables.tf
index 09aa079a..9c7dceca 100644
--- a/variables.tf
+++ b/variables.tf
@@ -281,3 +281,15 @@ variable "permissions_boundary_arn" {
   default     = null
   type        = string
 }
+
+variable "vpc_config" {
+  type = object({
+    security_group_ids = list(string)
+    subnet_ids         = list(string)
+  })
+  description = <<EOF
+  Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
+  vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
+  EOF
+  default     = null
+}