Description:

Lambda functions can be configured with public URLs, which allow them to be invoked from anywhere on the internet. However, this can pose a security risk if the function is not properly secured.

Rationale:

Public Lambda function URLs should be checked to ensure that they are only accessible to authorized users. If a public Lambda function URL is not properly secured, it could be used by malicious actors to access sensitive data or resources.

Impact:

If a public Lambda function URL is not properly secured, it could be used by malicious actors to:

  • Access sensitive data or resources
  • Launch denial-of-service attacks
  • Execute malicious code

Default Value:

By default, Lambda functions are not configured with public URLs. However, it is possible to configure a Lambda function with a public URL by setting the public property to true in the function's configuration.

Pre-requisites:

  • Access to the AWS Management Console
  • Knowledge of how to configure Lambda functions

Remediation Steps:

  1. Log in to the AWS Management Console.
  2. Go to the Lambda Functions page.
  3. Select the Lambda function that you want to check.
  4. Click the Configuration tab.
  5. Verify that the public property is set to false.
  6. If the public property is set to true, then you should change it to false.
  7. Click the Save button.

Test Plan:

  1. Verify that the public Lambda function URL is no longer accessible.
  2. Try to access the function from different locations and verify that you can no longer access it.

Implementation Plan:

AWS CLI Process:

  1. Log in to the AWS CLI.
  2. Run the following command to list the Lambda functions for the current account:
aws lambda list-functions
  1. Find the Lambda function that you want to check.
  2. Run the following command to get the function's configuration:
aws lambda get-function-configuration --function-name <function-name>
  1. Verify that the public property is set to false.
  2. If the public property is set to true, then you should run the following command to change it to false:
aws lambda update-function-configuration --function-name <function-name> --public false

Using AWS GUI:

  1. Log in to the AWS Management Console.
  2. Go to the Lambda Functions page.
  3. Select the Lambda function that you want to check.
  4. Click the Configuration tab.
  5. Verify that the public property is set to false.
  6. If the public property is set to true, then you should change it to false by clicking the Edit button and unchecking the Public checkbox.
  7. Click the Save button.

Backout Plan:

  1. Log in to the AWS Management Console.
  2. Go to the Lambda Functions page.
  3. Select the Lambda function that you want to revert.
  4. Click the Configuration tab.
  5. Check the Public checkbox.
  6. Click the Save button.

Note:

  • This policy should only be applied to Lambda functions that are not intended to be accessible from the public internet.
  • If you are unsure whether or not a Lambda function should be accessible from the public internet, then you should consult with your security team.

Reference:

  • AWS Lambda Public URLs: https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html

Section 2:

  • Tags: security, lambda, function, url, public, remediation
  • Keywords: public lambda function url, remediation, security, check, access, secure