Lambda Function URL Public Access

Overview

This check identifies AWS Lambda functions that have a publicly accessible function URL. Lambda function URLs provide a dedicated HTTP endpoint to invoke your function directly. When configured without authentication, anyone on the internet can call your function.

A passing check means your Lambda function URLs require AWS IAM authentication before invocation.

Risk

Severity: High

If your Lambda function URL allows unauthenticated access:

• Data exposure: Attackers can invoke your function and potentially access sensitive data it processes or returns
• Unauthorized execution: Malicious actors can trigger your function's code, which may have permissions to access other AWS resources
• Cost impact: Attackers can repeatedly invoke your function, driving up your AWS bill
• Denial of service: High volumes of requests can exhaust your function's concurrency limits, blocking legitimate users

Remediation Steps

Prerequisites

You need permission to modify Lambda function configurations. Specifically, you need the lambda:UpdateFunctionUrlConfig permission.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:GetFunctionUrlConfig",
        "lambda:UpdateFunctionUrlConfig"
      ],
      "Resource": "arn:aws:lambda:us-east-1:<account-id>:function:<function-name>"
    }
  ]
}

Replace <account-id> with your AWS account ID and <function-name> with your function name (or use * for all functions).

AWS Console Method

1. Open the AWS Lambda console
2. Click Functions in the left sidebar
3. Click on the function name that failed the check
4. Select the Configuration tab
5. Click Function URL in the left menu
6. Click the Edit button
7. Under Auth type, select AWS_IAM
8. Click Save

Your function URL now requires IAM authentication. Callers must sign their requests using AWS Signature Version 4.

AWS CLI (optional)

Run the following command to require IAM authentication on a function URL:

aws lambda update-function-url-config \
  --function-name <your-function-name> \
  --auth-type AWS_IAM \
  --region us-east-1

Replace <your-function-name> with your Lambda function's name.

Example output:

{
    "FunctionUrl": "https://abcdefg1234567.lambda-url.us-east-1.on.aws/",
    "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:my-function",
    "AuthType": "AWS_IAM",
    "CreationTime": "2024-01-15T10:30:00.000000Z",
    "LastModifiedTime": "2024-01-20T14:45:00.000000Z"
}

CloudFormation (optional)

Use the AWS::Lambda::Url resource with AuthType set to AWS_IAM:

AWSTemplateFormatVersion: '2010-09-09'
Description: Lambda function with secure function URL

Parameters:
  FunctionName:
    Type: String
    Description: Name of the Lambda function

Resources:
  LambdaFunctionUrl:
    Type: AWS::Lambda::Url
    Properties:
      AuthType: AWS_IAM
      TargetFunctionArn: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${FunctionName}'
      Cors:
        AllowOrigins:
          - 'https://example.com'
        AllowMethods:
          - GET
          - POST
        AllowHeaders:
          - Content-Type

Outputs:
  FunctionUrlEndpoint:
    Description: The function URL endpoint
    Value: !GetAtt LambdaFunctionUrl.FunctionUrl

To update an existing stack:

aws cloudformation update-stack \
  --stack-name <your-stack-name> \
  --template-body file://template.yaml \
  --parameters ParameterKey=FunctionName,ParameterValue=<your-function-name> \
  --region us-east-1

Terraform (optional)

Use the aws_lambda_function_url resource with authorization_type set to AWS_IAM:

resource "aws_lambda_function_url" "secure_url" {
  function_name      = "<your-function-name>"
  authorization_type = "AWS_IAM"

  cors {
    allow_origins = ["https://example.com"]
    allow_methods = ["GET", "POST"]
    allow_headers = ["Content-Type"]
  }
}

output "function_url" {
  description = "The Lambda function URL endpoint"
  value       = aws_lambda_function_url.secure_url.function_url
}

Apply the configuration:

terraform plan
terraform apply

Verification

After making changes, confirm the fix worked:

1. In the Lambda console, go to your function
2. Click Configuration > Function URL
3. Verify that Auth type shows AWS_IAM

Verify with AWS CLI

aws lambda get-function-url-config \
  --function-name <your-function-name> \
  --region us-east-1

Confirm the output shows "AuthType": "AWS_IAM".

You can also re-run the Prowler check:

prowler aws --check awslambda_function_url_public --region us-east-1

Additional Resources

• AWS Lambda function URLs documentation
• Security and auth model for Lambda function URLs
• Signing requests with AWS Signature Version 4
• AWS Lambda security best practices

Notes

• Existing callers will break: After enabling IAM authentication, any application or user calling your function URL must sign requests with valid AWS credentials. Update your callers before or immediately after making this change.

• Grant invoke permissions: To allow specific IAM users or roles to invoke the function URL, you need to add a resource-based policy. Example:

  aws lambda add-permission \
    --function-name <your-function-name> \
    --statement-id AllowSpecificRole \
    --action lambda:InvokeFunctionUrl \
    --principal arn:aws:iam::<account-id>:role/<role-name> \
    --function-url-auth-type AWS_IAM \
    --region us-east-1

• CORS considerations: If your function URL is called from a web browser, you may need to configure CORS settings to allow requests from your web application's domain.

• Alternative: Delete the function URL: If you do not need the function URL at all, consider deleting it entirely instead of just securing it. This eliminates the attack surface completely.