AWS lambda high security documentation change
Summary
Updated Lambda function URL authentication documentation to require both lambda:InvokeFunctionUrl and lambda:InvokeFunction permissions starting October 2025. Added details about lambda:InvokedViaFunctionUrl condition key and updated policy examples.
Security assessment
The change introduces stricter permission requirements (requiring both InvokeFunctionUrl AND InvokeFunction) to prevent unauthorized access. It adds the lambda:InvokedViaFunctionUrl condition key to restrict invocation methods, which directly addresses potential over-permission vulnerabilities. The October 2025 enforcement date indicates this mitigates a security gap in current configurations.
Diff
diff --git a/lambda/latest/dg/urls-auth.md b/lambda/latest/dg/urls-auth.md index 786308cb3..7531e742f 100644 --- a//lambda/latest/dg/urls-auth.md +++ b//lambda/latest/dg/urls-auth.md @@ -9 +9,5 @@ Using the AWS_IAM auth typeUsing the NONE auth typeGovernance and access control -You can control access to your Lambda function URLs using the `AuthType` parameter combined with [resource-based policies](./access-control-resource-based.html) attached to your specific function. The configuration of these two components determines who can invoke or perform other administrative actions on your function URL. +###### Note + +Starting in October 2025, new function URLs will require both `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions. + +You can control access to your Lambda function URLs using the [AuthType](https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunctionUrlConfig.html#lambda-CreateFunctionUrlConfig-request-AuthType) parameter combined with [resource-based policies](./access-control-resource-based.html) attached to your specific function. The configuration of these two components determines who can invoke or perform other administrative actions on your function URL. @@ -13 +17 @@ The `AuthType` parameter determines how Lambda authenticates or authorizes reque - * `AWS_IAM` – Lambda uses AWS Identity and Access Management (IAM) to authenticate and authorize requests based on the IAM principal's identity policy and the function's resource-based policy. Choose this option if you want only authenticated users and roles to invoke your function via the function URL. + * `AWS_IAM` – Lambda uses AWS Identity and Access Management (IAM) to authenticate and authorize requests based on the IAM principal's identity policy and the function's resource-based policy. Choose this option if you want only authenticated users and roles to invoke your function using the function URL. @@ -23,3 +27 @@ The `AuthType` parameter determines how Lambda authenticates or authorizes reque -In addition to `AuthType`, you can also use resource-based policies to grant permissions to other AWS accounts to invoke your function. For more information, see [Viewing resource-based IAM policies in Lambda](./access-control-resource-based.html). - -For additional insights into security, you can use AWS Identity and Access Management Access Analyzer to get a comprehensive analysis of external access to your function URL. IAM Access Analyzer also monitors for new or updated permissions on your Lambda functions to help you identify permissions that grant public and cross-account access. IAM Access Analyzer is free to use for any AWS customer. To get started with IAM Access Analyzer, see [Using AWS IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html). +For additional insights into security, you can use AWS Identity and Access Management Access Analyzer to get a comprehensive analysis of external access to your function URL. IAM Access Analyzer also monitors for new or updated permissions on your Lambda functions to help you identify permissions that grant public and cross-account access. You can use IAM Access Analyzer at no charge. To get started with IAM Access Analyzer, see [Using AWS IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html). @@ -27 +29 @@ For additional insights into security, you can use AWS Identity and Access Manag -This page contains examples of resource-based policies for both auth types, and also how to create these policies using the [AddPermission](https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html) API operation or the Lambda console. For information on how to invoke your function URL after you've set up permissions, see [Invoking Lambda function URLs](./urls-invocation.html). +This page contains examples of resource-based policies for both auth types, and how to create these policies using the [AddPermission](https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html) API operation or the Lambda console. For information about how to invoke your function URL after you've set up permissions, see [Invoking Lambda function URLs](./urls-invocation.html). @@ -42 +44 @@ This page contains examples of resource-based policies for both auth types, and -If you choose the `AWS_IAM` auth type, users who need to invoke your Lambda function URL must have the `lambda:InvokeFunctionUrl` permission. Depending on who makes the invocation request, you may have to grant this permission using a resource-based policy. +If you choose the `AWS_IAM` auth type, users who need to invoke your Lambda function URL must have the `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions. Depending on who makes the invocation request, you might have to grant this permission using a [resource-based policy](./access-control-resource-based.html). @@ -44 +46 @@ If you choose the `AWS_IAM` auth type, users who need to invoke your Lambda func -If the principal making the request is in the same AWS account as the function URL, then the principal must **either** have `lambda:InvokeFunctionUrl` permissions in their [identity-based policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html), **or** have permissions granted to them in the function's resource-based policy. In other words, a resource-based policy is optional if the user already has `lambda:InvokeFunctionUrl` permissions in their identity-based policy. Policy evaluation follows the rules outlined in [Determining whether a request is allowed or denied within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow). +If the principal making the request is in the same AWS account as the function URL, then the principal must **either** have `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions in their [identity-based policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html), **or** have permissions granted to them in the function's resource-based policy. In other words, a resource-based policy is optional if the user already has `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions in their identity-based policy. Policy evaluation follows the rules outlined in [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). @@ -46 +48 @@ If the principal making the request is in the same AWS account as the function U -If the principal making the request is in a different account, then the principal must have **both** an identity-based policy that gives them `lambda:InvokeFunctionUrl` permissions **and** permissions granted to them in a resource-based policy on the function that they are trying to invoke. In these cross-account cases, policy evaluation follows the rules outlined in [Determining whether a cross-account request is allowed](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html#policy-eval-cross-account). +If the principal making the request is in a different account, then the principal must have **both** an identity-based policy that gives them `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions **and** permissions granted to them in a resource-based policy on the function that they are trying to invoke. Policy evaluation follows the rules outlined in [Determining whether a cross-account request is allowed](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html#policy-eval-cross-account). @@ -48,8 +50 @@ If the principal making the request is in a different account, then the principa -For an example cross-account interaction, the following resource-based policy allows the `example` role in AWS account `444455556666` to invoke the function URL associated with function `my-function`: - -###### Example function URL cross-account invoke policy - -JSON - - -**** +The following resource-based policy allows the `example` role in AWS account `444455556666` to invoke the function URL associated with function `my-function`. The [lambda:InvokedViaFunctionUrl](https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html#lambda-AddPermission-request-InvokedViaFunctionUrl) context key restricts the `lambda:InvokeFunction` action to function URL calls. This means that the principal must use the function URL to invoke the function. If you don't include `lambda:InvokedViaFunctionUrl`, the principal can invoke your function through other invocation methods, in addition to the function URL. @@ -56,0 +52 @@ JSON +###### Example — Cross-account resource-based policy @@ -73,0 +70,13 @@ JSON + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::444455556666:role/example" + }, + "Action": "lambda:InvokeFunction", + "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function", + "Condition": { + "Bool": { + "lambda:InvokedViaFunctionUrl": "true" + } + } @@ -79 +88 @@ JSON -You can create this policy statement through the console by following these steps: +You can create this resource-based policy through the console using the following steps: @@ -95 +104 @@ You can create this policy statement through the console by following these step - 7. (Optional) For **Statement ID** , enter a statement ID for your policy statement. + 7. Enter a **Statement ID** for your policy statement. @@ -97 +106 @@ You can create this policy statement through the console by following these step - 8. For **Principal** , enter account ID or the Amazon Resource Name (ARN) of the user or role that you want to grant permissions to. For example: `444455556666`. + 8. For **Principal** , enter the account ID or the Amazon Resource Name (ARN) of the user or role that you want to grant permissions to. For example: `444455556666`. @@ -104 +113 @@ You can create this policy statement through the console by following these step -Alternatively, you can create this policy statement using the following [add-permission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html) AWS Command Line Interface (AWS CLI) command: +Alternatively, you can create this policy using the following [add-permission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html) AWS Command Line Interface (AWS CLI) commands. When you use the AWS CLI, you must add the `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` statements separately. For example: @@ -108 +117 @@ Alternatively, you can create this policy statement using the following [add-per - --statement-id example0-cross-account-statement \ + --statement-id UrlPolicyInvokeURL \ @@ -113 +122,6 @@ Alternatively, you can create this policy statement using the following [add-per -In the previous example, the `lambda:FunctionUrlAuthType` condition key value is `AWS_IAM`. This policy only allows access when your function URL's auth type is also `AWS_IAM`. + + aws lambda add-permission --function-name my-function \ + --statement-id UrlPolicyInvokeFunction \ + --action lambda:InvokeFunction \ + --principal 444455556666 + --invoked-via-function-url true @@ -119 +133 @@ In the previous example, the `lambda:FunctionUrlAuthType` condition key value is -When your function URL auth type is `NONE` and you have a resource-based policy that grants public access, any unauthenticated user with your function URL can invoke your function. +When your function URL auth type is `NONE` and you have a [resource-based policy](./access-control-resource-based.html) that grants public access, any unauthenticated user with your function URL can invoke your function. @@ -121 +135 @@ When your function URL auth type is `NONE` and you have a resource-based policy -In some cases, you may want your function URL to be public. For example, you might want to serve requests made directly from a web browser. To allow public access to your function URL, choose the `NONE` auth type. +In some cases, you might want your function URL to be public. For example, you might want to serve requests made directly from a web browser. To allow public access to your function URL, choose the `NONE` auth type. @@ -123 +137 @@ In some cases, you may want your function URL to be public. For example, you mig -If you choose the `NONE` auth type, Lambda doesn't use IAM to authenticate requests to your function URL. However, users must still have `lambda:InvokeFunctionUrl` permissions in order to successfully invoke your function URL. You can grant `lambda:InvokeFunctionUrl` permissions using the following resource-based policy: +If you choose the `NONE` auth type, Lambda doesn't use IAM to authenticate requests to your function URL. However, your function must have a resource-based policy that allows `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction`. When you create a function URL with auth type `NONE` using the console or AWS Serverless Application Model (AWS SAM), Lambda automatically creates the resource-based policy for you. If you're using the AWS CLI, AWS CloudFormation, or the Lambda API directly, you must add the policy yourself. @@ -125 +139 @@ If you choose the `NONE` auth type, Lambda doesn't use IAM to authenticate reque -###### Example function URL invoke policy for all unauthenticated principals +We recommend that you include the [lambda:InvokedViaFunctionUrl](https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html#lambda-AddPermission-request-InvokedViaFunctionUrl) context key in your resource-based policies when using the `NONE` auth type. This context key ensures that the function can only be invoked through the function URL and not through other invocation methods. @@ -127 +141 @@ If you choose the `NONE` auth type, Lambda doesn't use IAM to authenticate reque -JSON +Note the following about this policy: @@ -128,0 +143 @@ JSON + * All entities can call `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction`. This means that anyone who has your function URL can invoke your function. @@ -130 +145,3 @@ JSON -**** + * The `lambda:FunctionUrlAuthType` condition key value is `NONE`. This means that the policy statement allows access only when your function URL's auth type is also `NONE`. + + * The `lambda:InvokedViaFunctionUrl` condition ensures that the function can only be invoked through the function URL and not through other invocation methods. @@ -133,0 +151,4 @@ JSON + +###### Example — Default resource-based policy for NONE auth type + + @@ -137,0 +159 @@ JSON + "Sid": "FunctionURLAllowPublicAccess", @@ -141 +163 @@ JSON - "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function", + "Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function", @@ -146,0 +169,12 @@ JSON + }, + { + "Sid": "FunctionURLInvokeAllowPublicAccess", + "Effect": "Allow", + "Principal": "*", + "Action": "lambda:InvokeFunction", + "Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function", + "Condition": { + "Bool": { + "lambda:InvokedViaFunctionUrl": "true" + } + } @@ -150,0 +185 @@ JSON +###### Create the resource-based policy using the AWS CLI @@ -152 +187 @@ JSON -###### Note +Unless you use the console or AWS SAM to create a function URL with auth type `NONE`, you must add the resource-based policy yourself. Use the following commands to create statements for the `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions. Each statement must be added in a separate command. @@ -154 +188,0 @@ JSON -When you create a function URL with auth type `NONE` via the console or AWS Serverless Application Model (AWS SAM), Lambda automatically creates the preceding resource-based policy statement for you. If the policy already exists, or the user or role creating the application doesn't have the appropriate permissions, then Lambda won't create it for you. If you're using the AWS CLI, AWS CloudFormation, or the Lambda API directly, you must add `lambda:InvokeFunctionUrl` permissions yourself. This makes your function public. @@ -156 +190,6 @@ When you create a function URL with auth type `NONE` via the console or AWS Serv -In addition, if you delete your function URL with auth type `NONE`, Lambda doesn't automatically delete the associated resource-based policy. If you want to delete this policy, you must manually do so. + aws lambda add-permission \ + --function-name UrlTestFunction \ + --statement-id UrlPolicyInvokeURL \ + --action lambda:InvokeFunctionUrl \ + --principal * \ + --function-url-auth-type NONE @@ -158 +196,0 @@ In addition, if you delete your function URL with auth type `NONE`, Lambda doesn -In this statement, the `lambda:FunctionUrlAuthType` condition key value is `NONE`. This policy statement allows access only when your function URL's auth type is also `NONE`. @@ -160 +198,12 @@ In this statement, the `lambda:FunctionUrlAuthType` condition key value is `NONE -If a function's resource-based policy doesn't grant `lambda:invokeFunctionUrl` permissions, then users will get a 403 Forbidden error code when they try to invoke your function URL, even if the function URL uses the `NONE` auth type. + aws lambda add-permission \ + --function-name UrlTestFunction \ + --statement-id UrlPolicyInvokeFunction \ + --action lambda:InvokeFunction \ + --principal * \ + --invoked-via-function-url true + +###### Note + +If you delete a function URL with auth type `NONE`, Lambda doesn't automatically delete the associated resource-based policy. If you want to delete this policy, you must manually do so. + +If a function's resource-based policy doesn't grant `lambda:invokeFunctionUrl` and `lambda:InvokeFunction` permissions, users will get a 403 Forbidden error code when they try to invoke your function URL. This will occur even if the function URL uses the `NONE` auth type. @@ -181,4 +229,0 @@ In addition to function URL invocation permissions, you can also control access -###### Note - -The Lambda console supports adding permissions only for `lambda:InvokeFunctionUrl`. For all other actions, you must add permissions using the Lambda API or AWS CLI. - @@ -213 +258,8 @@ JSON -For fine-grained access control over your function URLs, use a condition key. Lambda supports one additional condition key for function URLs: `FunctionUrlAuthType`. The `FunctionUrlAuthType` key defines an enum value describing the auth type that your function URL uses. The value can be either `AWS_IAM` or `NONE`. +For fine-grained access control over your function URLs, use condition context keys. Lambda supports the following context keys for function URLs: + + * `lambda:FunctionUrlAuthType` – Defines an enum value describing the auth type that your function URL uses. The value can be either `AWS_IAM` or `NONE`. + + * `lambda:InvokedViaFunctionUrl` – Restricts the `lambda:InvokeFunction` action to calls made through the function URL. This ensures that the function can only be invoked using the function URL and not through other invocation methods. For examples of resource-based policies that use the `lambda:InvokedViaFunctionUrl` context key, see the examples in Using the AWS_IAM auth type and Using the AWS_IAM auth type. + + + @@ -215 +267 @@ For fine-grained access control over your function URLs, use a condition key. La -You can use this condition key in policies associated with your function. For example, you might want to restrict who can make configuration changes to your function URLs. To deny all `UpdateFunctionUrlConfig` requests to any function with URL auth type `NONE`, you can define the following policy: +You can use these context keys in policies associated with your function. For example, you might want to restrict who can make configuration changes to your function URLs. To deny all `UpdateFunctionUrlConfig` requests to any function with URL auth type `NONE`, you can define the following policy: