AWS Lambda Function URL Created with Public Access
Adversaries can establish persistent, internet-accessible footholds within AWS environments by configuring AWS Lambda function URLs with an authentication type of NONE, allowing unauthenticated invocation directly from the public internet for command and control, data exfiltration, or on-demand code execution.
Adversaries can establish persistent, internet-accessible footholds within AWS environments by configuring AWS Lambda function URLs with public access. This technique involves either creating new Lambda function URLs or modifying existing ones to have an authentication type of NONE. When set to NONE, the function becomes directly invokable from the public internet without requiring AWS authentication credentials. This misconfiguration allows attackers to establish a durable command and control (C2) channel, exfiltrate sensitive data, or execute arbitrary code on demand, bypassing typical AWS access controls. The threat leverages legitimate AWS functionality for malicious purposes, turning a service endpoint into an unauthenticated entry point. Such publicly exposed function URLs should be rare and are a strong indicator of potential malicious activity or significant misconfiguration warranting immediate review.
Attack Chain
- Initial Access: An adversary obtains valid AWS credentials (e.g., through phishing, compromised access keys, or exploiting another vulnerability) that possess permissions to manage AWS Lambda functions, specifically
lambda:CreateFunctionUrlConfigorlambda:UpdateFunctionUrlConfig. - Function Identification/Creation: The attacker identifies an existing Lambda function within the compromised account or deploys a new, attacker-controlled Lambda function.
- Function URL Configuration: Using the compromised credentials, the adversary executes the
CreateFunctionUrlConfigorUpdateFunctionUrlConfigAPI call against the target Lambda function. - Public Access Establishment: During the function URL configuration, the attacker explicitly sets the
AuthTypeparameter toNONE, making the function URL publicly accessible without any authentication. - URL Retrieval: The attacker captures the newly generated or modified public function URL from the API response or AWS console.
- Persistence and Exploitation: The public function URL serves as a persistent, unauthenticated endpoint. The adversary can then invoke this URL directly from the internet to achieve command and control, exfiltrate data, or trigger further malicious code execution, bypassing the need for valid AWS credentials for subsequent interactions.
Impact
Successful exploitation of this misconfiguration results in the creation of a persistent, unauthenticated access point to an AWS Lambda function. This allows adversaries to maintain a foothold within the targeted AWS environment, potentially facilitating long-term command and control operations, unauthenticated data exfiltration from resources accessible by the Lambda function's execution role, or on-demand execution of attacker-controlled code. While the direct number of victims is not specified, organizations utilizing AWS Lambda are susceptible if proper access controls are not enforced or if initial account compromise occurs. The primary damage is the circumvention of standard authentication mechanisms, increasing the attack surface and enabling further malicious activity within the cloud infrastructure.
Recommendation
- Deploy the provided Sigma rule to your SIEM system to detect
CreateFunctionUrlConfigandUpdateFunctionUrlConfigevents whereauthTypeis set toNONEin youraws.cloudtraillogs. - Upon detection of the
AWS Lambda Function URL Created with Public Accessevent, immediately investigate theaws.cloudtrail.user_identity.arn,source.ip, anduser_agent.originalfields to identify the actor and source of the configuration change. - Review the associated Lambda function (
functionName) and its code for any signs of tampering or malicious modifications. - Restrict
lambda:CreateFunctionUrlConfigandlambda:UpdateFunctionUrlConfigpermissions to only trusted roles and principals to limit the ability of compromised identities to establish public function URLs. - If an unauthorized public function URL is discovered, change its authentication type to
AWS_IAMor delete the function URL configuration entirely to revoke public access.
Detection coverage 1
AWS Lambda Function URL Created with Public Access
highIdentifies the creation or update of an AWS Lambda function URL configured with an authentication type of NONE, which exposes the function to unauthenticated invocation directly from the public internet. This can be used for persistence, C2, or data exfiltration without valid AWS credentials.
Detection queries are available on the platform. Get full rules →