AWS Lambda Function URL Created with Public Access
Adversaries may establish a persistent, internet-reachable entry point by creating or updating an AWS Lambda function URL with an authentication type of NONE, allowing unauthenticated invocation for command and control, data exfiltration, or on-demand code execution, thereby bypassing the need for valid AWS credentials.
This threat involves the misconfiguration of AWS Lambda function URLs, allowing adversaries to establish a persistent and publicly accessible foothold within a compromised AWS environment. Specifically, the creation or modification of a Lambda function URL with authType=NONE exposes the function to unauthenticated invocation directly from the internet. This technique enables attackers to bypass traditional AWS credential requirements for function execution, creating a durable entry point for various malicious activities. Such public URLs can serve as covert command and control (C2) channels, facilitate unauthorized data exfiltration, or provide an on-demand platform for executing arbitrary attacker-controlled code. This configuration is typically rare for legitimate applications and warrants immediate review due to the significant security implications of exposing compute resources to the public internet without authentication.
Attack Chain
- An adversary gains initial access to an AWS account, potentially via compromised credentials or an exploited vulnerability.
- Using the compromised credentials, the adversary invokes the
CreateFunctionUrlConfigorUpdateFunctionUrlConfigAPI call against an existing or new AWS Lambda function. - Within this API call, the adversary intentionally sets the
AuthTypeparameter toNONE. - This action successfully configures the target AWS Lambda function with a unique, publicly accessible HTTPS endpoint (Function URL).
- The adversary can then directly invoke this Lambda function from any internet-connected system without providing any AWS authentication credentials.
- This publicly exposed function serves as a persistent and unauthenticated entry point, enabling command and control (C2) operations.
- The adversary can leverage this for unauthorized data exfiltration by programming the Lambda function to send sensitive data to an external location.
- Alternatively, the Lambda function can be used to execute arbitrary attacker-controlled code on demand within the AWS environment, maintaining a durable backdoor into the system.
Impact
The successful exploitation of this misconfiguration grants adversaries a persistent and unauthenticated entry point into the compromised AWS environment. This can lead to a range of severe consequences, including full compromise of the affected Lambda function's execution role, leading to lateral movement, privilege escalation, and access to other AWS resources. Attackers can use this persistent access for command and control, unauthorized data exfiltration of sensitive information (e.g., customer data, intellectual property), or to launch further attacks and maintain a foothold. The exact number of victims is not specified, but any organization utilizing AWS Lambda functions is potentially vulnerable if access to credentials allows this misconfiguration.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect suspicious
CreateFunctionUrlConfigorUpdateFunctionUrlConfigevents withauthType=NONEin your AWS CloudTrail logs. - Investigate the
aws.cloudtrail.user_identity.arnandaws.cloudtrail.user_identity.typefields for any detections to identify the principal responsible for the change. - Review the
aws.cloudtrail.request_parametersfor thefunctionNameand theauthType, andaws.cloudtrail.response_elementsfor the resultingfunctionUrlfor unauthorized public exposures. - If an unauthorized public URL is identified, immediately change the function URL
authTypetoAWS_IAMor delete the function URL configuration as detailed in the AWS documentation linked in this brief. - Review the function's code, execution role, and recent changes (e.g.,
UpdateFunctionCode,UpdateFunctionConfiguration) for signs of tampering following detection. - Restrict
lambda:CreateFunctionUrlConfigandlambda:UpdateFunctionUrlConfigpermissions to only trusted roles within your AWS environment to prevent unauthorized creation of public function URLs.
Detection coverage 1
AWS Lambda Function URL Created or Updated with Public Access
highDetects the creation or update of an AWS Lambda function URL configured with `authType=NONE`, exposing it to unauthenticated public internet invocation, which can be used for persistence or defense evasion.
Detection queries are available on the platform. Get full rules →