Ensure that Lambda Function URL is secured with IAM authentication

When Lambda Function URL authorization type is set to 'NONE', IAM authentication bypass is allowed as a public endpoint.

Risk Level: Critical
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.IAM.107
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

Lambda where urlConfigs should not have urlConfigs contain [ authType='NONE' ]

REMEDIATION

From Portal

  1. Open the Amazon Lambda console at https://us-east-1.console.aws.amazon.com/lambda/
  2. In the navigation pane, choose 'Functions' and select the relevant Lambda Function
  3. Under 'Configurations', choose 'Function URL' and press 'Edit'
  4. Set 'Auth type' to 'AWS_IAM' and save

From TF
To set the authorization type for a Lambda Function URL, update the 'authorization_type' argument within the 'aws_lambda_function_url' block:

resource "aws_lambda_function_url" "lambda_function_url_example" {
	..
	authorization_type = "AWS_IAM"
	..
}

From Command Line
To set the authorization type for a Lambda Function URL, use:

aws lambda update-function-url-config --function-name FUNCTION-NAME --auth-type AWS_IAM

References

  1. https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html
  2. https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_url
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-url-config.html

AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.

With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset