Detections
Analytics

Ensure AuthType is set to 'AWS_IAM' for AWS Lambda function URLs

MEDIUM

Description

AWS Lambda Permission resource gives an AWS service or account permission to use a function. Not having authentication enabled allows public, unauthenticated access to invoke the lambda function via the function URL. It is considered best practice to require authentication to cloud services.

References:
https://docs.aws.amazon.com/lambda/latest/dg/security-iam.html

Remediation

In AWS Console -

  1. Sign in to AWS Console and go to the Functions page on the Lambda console.
  2. Choose the name of the function that you want to edit.
  3. Select the Configuration tab, and then select Permissions.
  4. Under Resource-based policy, select Add permissions.
  5. Select Function URL.
  6. For Auth type, select AWS_IAM.
  7. (Optional) For Statement ID, enter a statement ID for your policy statement.
  8. For Principal, enter the Amazon Resource Name (ARN) of the IAM user or role that you want to grant permissions to. For example:arn:aws:iam::444455556666:role/example.
  9. Select Save.

In Terraform -

  1. In the aws_lambda_permission resource, set function_url_auth_type to AWS_IAM.
  2. If adding a Condition configuration, update the Condition block accordingly.

References:
https://docs.aws.amazon.com/lambda/latest/dg/security-iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission

Policy Details

Rule Reference ID: AC_AWS_0618
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_lambda_permission
Resource Category: Serverless
Resource Type: Lambda

Frameworks