Profile Applicability:

  • Level 2

Description:

Lambda Function URLs are a feature of AWS Lambda that allows you to invoke Lambda functions over HTTP(S) using RESTful endpoints. CORS (Cross-Origin Resource Sharing) is a mechanism that allows web applications running at one origin (domain) to request resources from another origin. It is particularly important when dealing with client-side web applications that need to make requests to Lambda functions deployed via API Gateway or Lambda Function URLs.

Configuring CORS correctly ensures that Lambda function URLs can be accessed securely and only by authorized origins, protecting your function from unauthorized cross-origin requests.

Rationale:

  • Security: Proper CORS configuration ensures that only trusted origins can access the Lambda function, reducing the risk of cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

  • Access Control: By specifying which domains can interact with your Lambda function URL, you enforce a controlled environment for client applications.

  • Compliance: Many compliance frameworks (e.g., SOC 2, HIPAA) require that APIs and web applications follow secure access control mechanisms, including CORS.

  • Browser Compatibility: Correctly configuring CORS ensures that browsers allow cross-origin requests from web applications, improving compatibility and user experience.

Impact:

Pros:

  • Enhanced Security: Limits the Lambda function URL’s accessibility to only trusted origins, reducing unauthorized access.

  • Prevent Unauthorized Requests: Restricts cross-origin requests to only the domains you trust, ensuring that only authorized web applications can interact with the function.

  • Compliance: Helps meet industry compliance standards that require secure APIs and web applications.

Cons:

  • Complexity: Setting up CORS for Lambda function URLs may require careful planning to ensure that only the appropriate origins are granted access.

  • Access Limitation: Overly restrictive CORS settings may prevent legitimate applications from accessing the Lambda function, requiring fine-tuning of allowed origins.

Default Value:

By default, Lambda Function URLs do not have CORS configuration enabled. You must explicitly configure CORS for Lambda function URLs to allow cross-origin requests from trusted domains.

Pre-requisite:

  • AWS IAM Permissions:

    • lambda:GetFunctionConfiguration

    • lambda:UpdateFunctionConfiguration

    • apigateway:GET

  • AWS CLI installed and configured.

  • Lambda Function URL should be active and accessible.

  • Ensure that you have the necessary CORS policy defined for the Lambda function URL.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Lambda under Services.

  3. In the Lambda Dashboard, select the Lambda function you want to review.

  4. Under the Function URL configuration section, check the CORS settings:

    • Ensure that only trusted origins (e.g., https://example.com) are listed in the allowed origins.

    • Ensure that methods like GET, POST, etc., are appropriately configured in the allowed methods.

  5. If the Lambda function URL is not configured with CORS or is configured incorrectly, modify the CORS settings to add trusted origins and methods.

    • Click Edit CORS Configuration to update the allowed origins, headers, and methods.

Using AWS CLI:

  1. To check the CORS configuration of a Lambda function URL, run:

    aws lambda get-function-url-config --function-name <function-name>

  2. Review the CORS configuration to check if the allowed origins and allowed methods are correctly set.

  3. To update or enable CORS on the Lambda function URL, run:

    aws lambda update-function-url-config --function-name <function-name> --cors-allowed-origins <origin-1> <origin-2> --cors-allowed-methods GET POST PUT

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to AWS Lambda.

  2. In the Lambda Dashboard, select the Lambda function for which you want to configure CORS.

  3. Scroll to the Function URL section and click Edit in the CORS configuration section.

  4. Enter the allowed origins (trusted domains), e.g., https://example.com, https://api.example.com.

  5. Select the allowed methods (e.g., GET, POST, PUT).

  6. Click Save to apply the changes.

  7. Verify that the Lambda function URL is now configured with the correct CORS settings.

Using AWS CLI:

  1. To enable CORS for a Lambda function URL, run:

    aws lambda update-function-url-config --function-name <function-name> --cors-allowed-origins https://example.com --cors-allowed-methods GET POST PUT

  2. To verify the changes, run:

    aws lambda get-function-url-config --function-name <function-name>

Backout Plan:

Using AWS Console:

  1. If enabling or modifying CORS causes issues, sign in to the AWS Management Console.

  2. Navigate to Lambda and select the function to modify.

  3. Remove or adjust the CORS configuration by allowing a broader set of origins or methods, or by disabling CORS if necessary.

  4. Save the changes and verify that the Lambda function URL is accessible as required.

Using AWS CLI:

  1. To revert the CORS configuration for a Lambda function URL, run:

    aws lambda put-function-url-config --function-name <FUNCTION_NAME> --cors "AllowedOrigins=[\"*\"]"

  2. Verify that CORS has been reverted and the Lambda function URL is now accessible to all origins if required:

    aws lambda get-function-url-config --function-name <FUNCTION_NAME>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.