Description:
Lambda functions can be configured with public URLs, which allow them to be invoked from anywhere on the internet. However, this can pose a security risk if the function is not properly secured.
Rationale:
Public Lambda function URLs should be checked to ensure that they are only accessible to authorized users. If a public Lambda function URL is not properly secured, it could be used by malicious actors to access sensitive data or resources.
Impact:
If a public Lambda function URL is not properly secured, it could be used by malicious actors to:
- Access sensitive data or resources
- Launch denial-of-service attacks
- Execute malicious code
Default Value:
By default, Lambda functions are not configured with public URLs. However, it is possible to configure a Lambda function with a public URL by setting the public
property to true
in the function's configuration.
Pre-requisites:
- Access to the AWS Management Console
- Knowledge of how to configure Lambda functions
Remediation Steps:
- Log in to the AWS Management Console.
- Go to the Lambda Functions page.
- Select the Lambda function that you want to check.
- Click the Configuration tab.
- Verify that the
public
property is set tofalse
. - If the
public
property is set totrue
, then you should change it tofalse
. - Click the Save button.
Test Plan:
- Verify that the public Lambda function URL is no longer accessible.
- Try to access the function from different locations and verify that you can no longer access it.
Implementation Plan:
AWS CLI Process:
- Log in to the AWS CLI.
- Run the following command to list the Lambda functions for the current account:
aws lambda list-functions
- Find the Lambda function that you want to check.
- Run the following command to get the function's configuration:
aws lambda get-function-configuration --function-name <function-name>
- Verify that the
public
property is set tofalse
. - If the
public
property is set totrue
, then you should run the following command to change it tofalse
:
aws lambda update-function-configuration --function-name <function-name> --public false
Using AWS GUI:
- Log in to the AWS Management Console.
- Go to the Lambda Functions page.
- Select the Lambda function that you want to check.
- Click the Configuration tab.
- Verify that the
public
property is set tofalse
. - If the
public
property is set totrue
, then you should change it tofalse
by clicking the Edit button and unchecking the Public checkbox. - Click the Save button.
Backout Plan:
- Log in to the AWS Management Console.
- Go to the Lambda Functions page.
- Select the Lambda function that you want to revert.
- Click the Configuration tab.
- Check the Public checkbox.
- Click the Save button.
Note:
- This policy should only be applied to Lambda functions that are not intended to be accessible from the public internet.
- If you are unsure whether or not a Lambda function should be accessible from the public internet, then you should consult with your security team.
Reference:
- AWS Lambda Public URLs: https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html
Section 2:
- Tags: security, lambda, function, url, public, remediation
- Keywords: public lambda function url, remediation, security, check, access, secure