Lambda function is publicly accessible through function URL







February 21, 2023

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




Lambda functions can be exposed to the internet through function URLs. If authentication is not enabled, anyone on the internet can access the functionality exposed by the Lambda function.

Understanding Impact

Business Impact

Lambda functions allow you to run code without worrying about managing servers (serverless). Exposing a Lambda function to the internet without authentication increases the likelihood it gets attacked and compromised. It can also cause an unexpected increase of costs.

Technical Impact

Lambda function URLs allows exposing a Lambda function to the internet. A Lambda function URL should have authentication enabled. Otherwise, anyone on the internet can invoke it without authentication, greatly increasing the attack surface.

Identify affected resources

Use the following AWS CLI command to verify if a Lambda function is exposed through a function URL:

aws lambda list-function-url-configs --function-name <your-function>

The function is vulnerable if a function URL is returned with AuthType set to NONE.

  "FunctionUrlConfigs": [
          "FunctionUrl": "",
          "FunctionArn": "arn:aws:lambda:us-east-1:0123456789012:function:my-lambda-function-with-url",
          "CreationTime": "2022-12-06T10:15:32.677219Z",
          "LastModifiedTime": "2022-12-06T10:15:32.677219Z",
          "AuthType": "NONE"

Remediate vulnerable resources

Remove the function URL, or enable IAM authentication on it.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSPM Rule | Lambda function is not publicly accessible".


Lambda function URLs

aws documentation

Security and auth model for Lambda function URLs

aws documentation