About
Lambda functions can be exposed to the internet through function URLs. If authentication is not enabled, anyone on the internet can access the functionality exposed by the Lambda function.
Understanding Impact
Business Impact
Lambda functions allow you to run code without worrying about managing servers (serverless). Exposing a Lambda function to the internet without authentication increases the likelihood it gets attacked and compromised. It can also cause an unexpected increase of costs.
Technical Impact
Lambda function URLs allows exposing a Lambda function to the internet. A Lambda function URL should have authentication enabled. Otherwise, anyone on the internet can invoke it without authentication, greatly increasing the attack surface.
Identify affected resources
Use the following AWS CLI command to verify if a Lambda function is exposed through a function URL:
aws lambda list-function-url-configs --function-name <your-function>
The function is vulnerable if a function URL is returned with AuthType set to NONE.
{
"FunctionUrlConfigs": [
{
"FunctionUrl": "https://stnhbgb2y64v5q3dg6eeecpc5e0vsvvi.lambda-url.us-east-1.on.aws/",
"FunctionArn": "arn:aws:lambda:us-east-1:0123456789012:function:my-lambda-function-with-url",
"CreationTime": "2022-12-06T10:15:32.677219Z",
"LastModifiedTime": "2022-12-06T10:15:32.677219Z",
"AuthType": "NONE"
}
]
}
Remediate vulnerable resources
Remove the function URL, or enable IAM authentication on it.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | Lambda function should not be accessible over the public internet".
References
Lambda function URLs
aws documentation
Security and auth model for Lambda function URLs
aws documentation