Profile Applicability:

  • Level 1

Description:

AWS Lambda allows you to create Function URLs, which can be used to invoke your Lambda functions directly over HTTP(S). Lambda function URLs can be configured to allow public access, meaning anyone with the URL can invoke the function, potentially causing misuse or security risks.

To secure Lambda functions and prevent unauthorized access, it is essential to ensure that public Lambda function URLs are not configured. This can be done by reviewing the resource-based policies and ensuring that the Lambda function URL does not allow access to the public ("*" as the principal).

Rationale:

  • Security Risk: Allowing public access to Lambda function URLs exposes the function to the entire internet, increasing the risk of misuse or unauthorized invocations.

  • Data Protection: If the Lambda function processes sensitive data, public access could lead to potential data breaches.

  • Access Control: Restricting access to Lambda function URLs ensures that only trusted AWS accounts or services can invoke the function, minimizing the attack surface.

  • Compliance: Many compliance frameworks (e.g., SOC 2, PCI-DSS, HIPAA) require that API endpoints and serverless functions be protected from unauthorized access.

Impact:

Pros:

  • Improved Security: Ensures that Lambda function URLs are not publicly accessible, protecting the function from unauthorized access.

  • Access Control: Enables the application of stricter access controls to Lambda function URLs, allowing only trusted AWS services or accounts to invoke the function.

  • Compliance: Helps meet regulatory requirements that mandate secure access to cloud services and APIs.

Cons:

  • Complexity in Access Management: Restricting access may require additional configuration steps, such as setting permissions for trusted services or accounts.

  • Access Limitation: Legitimate users or services may need additional configuration (e.g., API Gateway, IAM roles) to access the Lambda function.

Default Value:

By default, Lambda Function URLs are private. However, public access can be enabled through resource-based policies that allow anyone (e.g., "Principal": "*") to invoke the function.

Pre-requisite:

  • AWS IAM Permissions:

    • lambda:ListFunctions

    • lambda:GetPolicy

    • lambda:RemovePermission

  • AWS CLI installed and configured.

  • Lambda function URL should be accessible for validation.

  • Lambda execution role should have permissions to access the function.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Lambda under Services.

  3. In the Lambda Dashboard, select the Lambda function you want to check.

  4. Under the Function URL configuration section, check the CORS settings and resource-based policy:

    • Ensure that the resource-based policy does not grant access to "Principal": "*" (which means public access).

  5. If public access is found, click Edit CORS Configuration and Edit Permissions to restrict the policy to trusted AWS accounts or services.

Using AWS CLI:

  1. To check the Lambda Function URL's resource-based policy, run:

    aws lambda get-policy --function-name <function-name>

  2. Review the output for the "Principal": "*" field. If this exists, the Lambda function URL is publicly accessible.

  3. To remove public access, run:

    aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>

  4. If you need to restrict the policy to a trusted service, run:

    aws lambda add-permission --function-name <function-name> --principal <trusted-principal> --statement-id <new-statement-id> --action lambda:InvokeFunction

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to AWS Lambda.

  2. In the Lambda Dashboard, select the Lambda function for which you want to check the function URL.

  3. Scroll down to the Function URL section and review the resource-based policy.

    • If you see a public policy, such as "Principal": "*", remove or modify it.

  4. Click Modify to change the policy and restrict access to trusted AWS accounts, roles, or services.

Using AWS CLI:

  1. To check the resource-based policy for a Lambda function URL, run:

    aws lambda get-policy --function-name <function-name>

  2. If the policy shows public access, remove it with:

    aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>

  3. To restrict the Lambda function URL to trusted services or accounts, run:

    aws lambda add-permission --function-name <function-name> --principal <trusted-principal> --statement-id <new-statement-id> --action lambda:InvokeFunction

Backout Plan:

Using AWS Console:

  1. If removing the public access causes issues or breaks functionality, sign in to the AWS Management Console.

  2. Navigate to Lambda and re-enable the public URL or reconfigure API Gateway access if required.

  3. Ensure proper security controls, such as authentication and authorization, are set up to secure the function.

Using AWS CLI:

  1. If access needs to be re-enabled, run the following command:

    aws lambda put-function-url-config --function-name <FUNCTION_NAME> --auth-type AWS_IAM --cors <CORS_POLICY>

  2. Verify that the Lambda function URL is accessible again with appropriate controls in place.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.