Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check Lambda Function URL Not in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Lambda-011

Check whether your Amazon Lambda functions are configured with function URLs for HTTP(S) endpoints. A function URL creates a direct HTTP(S) endpoint to your function and this may pose a security risk depending on the security configuration and intention of the function.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

A function URL is a dedicated HTTP(S) endpoint created for your Amazon Lambda function. You can use a function URL to invoke your Lambda function through a browser, curl, Postman, or an HTTP client. However, a function URL should be used with caution, and should only be applied on functions with relevant and secure access control, otherwise you risk exposing your application to the public.


Audit

To determine if your Amazon Lambda functions are configured to use function URLs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to examine.

05 Select the Configuration tab and choose Function URL from the left menu.

06 In the Function URL section, check the Function URL attribute value. If there is no Function URL attribute available in this section, the verified Lambda function is not using function URLs. If the Function URL is available and the attribute value contains an URL such as https://<identifier>.lambda-url.<aws-region>.on.aws/, the selected Amazon Lambda function is configured to use function URLs for HTTP(S) endpoints.

07 Repeat steps no. 4 – 6 for each Lambda function available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the names of all the Amazon Lambda functions available in the selected AWS region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

--------------------------
|      ListFunctions     |
+------------------------+
|  cc-process-app-queue  |
|  cc-export-user-data   |
|  cc-get-s3-log-data    |
+------------------------+

03 Run list-function-url-configs command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter and custom query filters to describe the function URL configured for the selected Lambda function:

aws lambda list-function-url-configs
  --region us-east-1
  --function-name cc-process-app-queue
  --query 'FunctionUrlConfigs[*].FunctionUrl'

04 The command output should return the configured function URL:

[
  "https://abcd1234abcd1234abcd1234abcd1234.lambda-url.us-east-1.on.aws/"
]

If the list-function-url-configs command output returns an empty array, i.e. [], the verified Lambda function is not using function URLs. If the command output returns a URL such as https://<identifier>.lambda-url.<aws-region>.on.aws/, as shown in the example above, the selected Amazon Lambda function is configured to use function URLs for HTTP(S) endpoints.

05 Repeat steps no. 3 and 4 for each Lambda function available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

Case A: To disable function URLs for your Amazon Lambda functions in order to prevent unauthenticated access via URLs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to reconfigure.

05 Select the Configuration tab and choose Function URL from the left menu.

06 In the Function URL section, choose Delete to remove the existing function URL from the selected Amazon Lambda function.

07 In the Delete function URL confirmation box, enter delete in the text input field to confirm the deletion of the function URL.

08 Repeat steps no. 4 – 7 to disable the function URL for each Amazon Lambda function available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

01 Run delete-function-url-config command (OSX/Linux/UNIX) to remove the existing function URL from the selected Amazon Lambda function (the command does not produce an output):

aws lambda delete-function-url-config
  --region us-east-1
  --function-name cc-process-app-queue

02 Repeat step no. 1 to disable the function URL for each Amazon Lambda function available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 and 2 to perform the Remediation process for other regions.

Case B: To reconfigure the function URLs created for your Amazon Lambda functions in order to use IAM authentication, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to reconfigure.

05 Select the Configuration tab and choose Function URL from the left menu.

06 In the Function URL section, choose Edit to modify the function URL configuration defined for the selected Amazon Lambda function.

07 On the Configure Function URL configuration page, perform the following actions:

  1. Choose AWS_IAM for the Auth type to allow only authenticated Amazon IAM users and roles to make requests to the function URL.
  2. To control access to your function URL from other origins, select the Configure cross-origin resource sharing (CORS) checkbox. Once the CORS feature is enabled, define the origins that can access your function URL, the headers that you want to expose to the specified origins, the headers that origins can include in requests, the HTTP methods allowed when calling your function URL, the browser cache configuration, and whether to allow credentials in the requests made to your function URL.
  3. Choose Save to apply the changes.

08 Repeat steps no. 4 – 7 to configure the function URL for each Amazon Lambda function available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

01 Run update-function-url-config command (OSX/Linux/UNIX) to update the configuration for your Amazon Lambda function URL in order to allow only authenticated IAM users and roles to make requests to the function URL and configure Cross-Origin Resource Sharing (CORS):

aws lambda update-function-url-config
  --region us-east-1
  --function-name cc-process-app-queue
  --auth-type AWS_IAM
  --cors 'AllowOrigins="https://www.domain.com",AllowMethods="*",ExposeHeaders="keep-alive",MaxAge=3600,AllowCredentials=false'

02 The command output should return the new configuration available for your function URL:

{
    "FunctionUrl": "https://abcd1234abcd1234abcd1234abcd1234.lambda-url.us-east-1.on.aws/",
    "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-process-app-queue",
    "AuthType": "AWS_IAM",
    "Cors": {
        "AllowCredentials": false,
        "AllowMethods": [
            "*"
        ],
        "AllowOrigins": [
            "https://www.domain.com"
        ],
        "ExposeHeaders": [
            "keep-alive"
        ],
        "MaxAge": 3600
    },
    "CreationTime": "2022-06-22T17:04:40.449428Z",
    "LastModifiedTime": "2022-06-22T17:29:41.587910Z"
}

03 Repeat steps no. 1 and 2 to configure the function URL for each Amazon Lambda function available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Jul 5, 2022