Having things “in a VPC” doesn’t help unless you are just using AWS as a glorified Colo. Once you start using AWS native services - many of which aren’t in a VPC, VPC isolation doesn’t help.
Each AWS account also has its own service limits and quotas. One out of control Lambda in the dev “environment” can impact production.
And you don’t have to open support tickets manually. There are APIs to request service limits and you can monitor the progress programmatically.
Besides, every time you try to create a “least privileged role” to run infrastructure as code, that role has so many privileges it’s easy for mistakes to cause mistakes in your production “environment” that you meant to only affect your dev “environment”.
And I know I’m probably preaching to the choir. But one of the misconceptions I have to constantly fight is “we run our Lambdas in a VPC for security reasons”. (Lambdas are never “run in” a customer VPC)
Yes, I tried arguing with someone that it was actually more secure to run your Lambda without associating it with a VPC. If it doesn't need access to the VPC resources, it shouldn't be "run in" one. What can be more secure than having absolutely no access?
Each AWS account also has its own service limits and quotas. One out of control Lambda in the dev “environment” can impact production.
And you don’t have to open support tickets manually. There are APIs to request service limits and you can monitor the progress programmatically.