Loading

AWS Lambda Function URL Created with Public Access

Identifies the creation or update of an AWS Lambda function URL configured with an authentication type of NONE, which exposes the function to unauthenticated invocation directly from the public internet. Adversaries can use a public function URL to establish a durable, internet-reachable entry point for command and control, data egress, or on-demand execution of attacker-controlled code, bypassing the need for valid AWS credentials to invoke the function. Function URLs with public access should be rare and deliberate, so this configuration warrants review.

Rule type: eql
Rule indices:

  • logs-aws.cloudtrail-*

Rule Severity: high
Risk Score: 73
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS Lambda
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Tactic: Defense Evasion
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

A Lambda function URL is a dedicated HTTPS endpoint for a function. When configured with authType=NONE, anyone on the internet can invoke the function without AWS authentication. Adversaries use this to create a public, persistent entry point for command and control, data exfiltration, or running attacker-controlled code without needing AWS credentials.

This rule detects successful CreateFunctionUrlConfig and UpdateFunctionUrlConfig calls where the auth type is set to NONE.

  • Identify the actor in aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.type, and review source.ip and user_agent.original to determine how the change was made.
  • Inspect aws.cloudtrail.request_parameters for the functionName and the auth type, and review aws.cloudtrail.response_elements for the resulting functionUrl.
  • Determine whether the function is intended to be public and whether the owning team requested an unauthenticated endpoint.
  • Review the function's code, execution role, and recent changes (UpdateFunctionCode, UpdateFunctionConfiguration, AddPermission) for signs of tampering.
  • Correlate with other activity by the same principal, and check the function's invocation and access logs for traffic from unexpected sources after the URL was exposed.
  • Public webhooks, simple APIs, and front-end integrations sometimes use unauthenticated function URLs intentionally. Confirm the exposure is approved and exclude known public endpoints on functionName or aws.cloudtrail.user_identity.arn after validation.
  • If the exposure is unauthorized, change the function URL auth type to AWS_IAM or delete the function URL configuration, and review the function code and execution role for compromise.
  • Examine invocation logs for unauthenticated requests received while the URL was public and assess potential impact.
  • Rotate or restrict credentials for the principal if compromise is suspected, and constrain lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig to trusted roles.
any where data_stream.dataset == "aws.cloudtrail"
    and event.provider == "lambda.amazonaws.com"
    and event.outcome == "success"
    and (event.action : "CreateFunctionUrlConfig*" or event.action : "UpdateFunctionUrlConfig*")
    and stringContains(aws.cloudtrail.request_parameters, "authType=NONE")
		

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK