HIGH Lambda

Lambda public function URL

Check ID: aws-lambda-001

AWS-LAMBDA-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for Lambda functions with public function URLs (AuthType=NONE), allowing anyone on the internet to invoke them.

Why it matters

Lambda function URLs with AuthType=NONE are publicly accessible HTTP endpoints that anyone on the internet can invoke without authentication. Automated scanners discover these endpoints through DNS enumeration and brute-force of the predictable URL pattern (https://FUNCTION_ID.lambda-url.REGION.on.aws). An exposed function can be used for data exfiltration, internal network reconnaissance (if the function is in a VPC), or as a compute resource for attacks - all billed to your account. In 2023, researchers from Aqua Security discovered thousands of publicly exposed Lambda URLs, many connected to internal databases and AWS services. Use AWS_IAM auth type with IAM policies or place an API Gateway with authorization in front of Lambda functions.

Common causes

Public function URLs are created when developers need a quick HTTP endpoint for webhooks or testing and choose AuthType NONE to avoid configuring IAM authentication. Teams prototyping integrations with third-party services use unauthenticated URLs for simplicity and forget to add authentication before production deployment. Some engineers are unaware that Lambda function URLs with NONE auth type are accessible to anyone on the internet without restrictions.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Remove the public function URL:
aws lambda delete-function-url-config --function-name FUNCTION_NAME --region REGION
# Or switch to IAM auth:
aws lambda update-function-url-config --function-name FUNCTION_NAME --auth-type AWS_IAM --region REGION

Remediation: Terraform

resource "aws_lambda_function_url" "fn" {
  function_name      = "function-name"
  authorization_type = "AWS_IAM"
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related Lambda checks

MEDIUM aws-lambda-002

Lambda deprecated runtime

HIGH aws-lambda-003

Lambda env var secrets

← All checks