Detect publicly accessible Lambda Function URLs in your AWS account.
This CloudFormation template creates an AWS config rule that records public AWS Lambda Function URLs as NON_COMPLIANT.
- Enable AWS Config (required).
- Upload the CloudFormation template.
- Evaluate the results of the newly created AWS Config Rule.
Amazon recently announced Lambda Function URLs which is a quick way to expose your lambda functions to the internet via an https endpoint.
The problem is AWS didn't update their existing lambda-function-public-access-prohibited rule that detects publicly accessible Lambdas.
I do anticipate that AWS will update their rule or provide a new rule eventually, but in the meantime this is a blindspot.
- Config Rule
- Lambda Function
- Lambda IAM Role & Policy
- (optional) Demo Lambda Functions
Below is the default policy created when you enable a public URL for a lambda function.
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "FunctionURLAllowPublicAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:region:accountId:function:functionName",
"Condition": {
"StringEquals": {
"lambda:FunctionUrlAuthType": "NONE"
}
}
}
]
}This custom AWS config rule specifically looks for the lambda:FunctionUrlAuthType condition.
def is_public_policy(policy):
policy = json.loads(policy)
for rule in policy['Statement']:
try:
if rule['Condition']['StringEquals']['lambda:FunctionUrlAuthType'] == 'NONE':
return True # NON_COMPLIANT
except KeyError:
continue
return False # COMPLIANT