AWSOverview
Lambda function URLs with AuthType set to NONE are reachable without AWS IAM authentication. If those public endpoints also allow wildcard CORS origins, browsers can call the function from any website, increasing the impact of weak application-layer authorization, unsafe methods, or token handling mistakes.
For browser-facing functions, restrict CORS to the exact trusted origins and methods that need access. For non-browser callers, remove CORS entirely.
Remediation guidance
Remediation
Replace wildcard CORS on public Lambda function URLs with explicit trusted origins, methods, and headers. If the endpoint is not intended for direct browser calls, remove the CORS configuration.
AWS CLI
Set explicit allowed origins. Replace {{manual.allowedOrigin}} with the approved application origin.
aws lambda update-function-url-config \
--region {{asset.region}} \
--function-name {{asset.name}} \
--cors AllowOrigins={{manual.allowedOrigin}},AllowMethods=GET,POST,AllowHeaders=content-type,authorization
If the endpoint should not be public, require IAM authentication instead:
aws lambda update-function-url-config \
--region {{asset.region}} \
--function-name {{asset.name}} \
--auth-type AWS_IAM
Validation
aws lambda get-function-url-config \
--region {{asset.region}} \
--function-name {{asset.name}} \
--query '{AuthType:AuthType,Cors:Cors}'
References
- https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html
- https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
Query logic
These are the stored checks tied to this control.
Public AWS Lambda function URLs with wildcard CORS origins
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
cloudProvider: { eq: "aws" }
NOT: { functionURL: { eq: "" } }
authType: { eq: "NONE" }
corsAllowedOrigins_INCLUDES: "*"
}
) {
...AssetFragment
}
}
