This is where you can get creative. Obviously, random code added to a function that sends data to a random IP address will look fishy to anyone who is familiar with the code and is taking another look at it. In that situation, there might not even be an indicators-of-compromise that a defender picked up on, but a developer happened to notice this weird code in the Lambda function and asked a question about it, which then get you caught. It would be even more obvious with the malicious code at the beginning of the entire function like we would want it, so nesting your payload somewhere in the code would help a little bit.
What about placing your payload somewhere that wouldn't change anything in the entry function (lambda_handler() ...