Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Restrict Lambda function URL access to CloudFront

Tags:

amazon-web-services

aws-lambda

amazon-cloudfront

amazon-iam

AWS have recently released the Lambda function URLs feature which allows a function to be invoked via a URL.

I would like to allow my function to be invoked via a URL but only via CloudFront.

I don't want people to be able to bypass CloudFront and invoke the function directly.

Is there a way to configure this? I am aware that I can restrict the function URL by setting the auth type to AWS_IAM but am not clear on how I then allow CloudFront to call it.

like image 271
Michael Avatar asked Apr 30 '26 09:04

Michael

2 Answers

Update April 2024

Amazon finally shipped this feature:

  • Press Release
  • Documentation

Similarly, how you would secure a S3 origin with Origin Access Control (OAC) you can now secure your Lambda function URL with the same mechanism.

Original answer

Currently, the only option I see is quite similar to how you would protect an ALB in a way that access is restricted to CloudFront:

  1. Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer lambda function URL.

  2. Configure the Application Load Balancer Lambda to only forward process requests that contain the custom HTTP header.

My thoughts on approaches that may not work when using lambda function URLs:

  • IAM auth (since I see no way to sign these requests originating from CloudFront, maybe that will change in the future when lambda function URLs become a first class citizen like S3-origins)
  • restricting access via security groups (because there are no SGs for lambda func URLs)
like image 57
mana Avatar answered May 03 '26 23:05

mana

There appears to be undocumented, native support for CloudFront signing of requests to Lambda Function URL origins. Neither Terraform nor the AWS Console support creating an Origin Access Control with origin type lambda, but the AWS CLI will happily create one. I verified with this OAC CloudFront does sign the requests and that Lambda successfully verifies them.

I wrote instructions in a blog post to implement via the CLI or Terraform: https://www.micah.soy/posts/lock-down-lambda-function-access-with-cloudfront/

I also opened an issue with the Terraform AWS Provider to add support for this value in the resource schema: https://github.com/hashicorp/terraform-provider-aws/issues/36660

like image 44
Micah Henning Avatar answered May 03 '26 23:05

Micah Henning
Sign in to Comment

Related questions

AWS: Authorize users to specific clients
Deploying Rails with Elastic Beanstalk 404 Not Found Error
AWS Composite Alarm - Auto scaling action
Change my AWS API Gateway Custom Authorizer per stage
python boto3 parameter validation error
How to avoid the configuration error while using AWS API Gateway with VPC Link? [closed]
TypeError: <botocore.response.StreamingBody object at 0x7f81898af438> is not JSON serializable
Do VPC service availability zones need to match VPC endpoint zones?
How to update platform version in AWS ElasticBeanStalk?
Got this error in aws -{"error":{"root_cause":[{"type":"authorization_exception","reason":"User does not have permissions for the requested resource"}
AWS Client VPN DNS Resolution for RDS
CORS with Amazon S3 and Cloudfront
How to get the storage class of an object stored in aws bucket
Terraform EC2 User Data Changes Not Replacing The EC2
specifying the signature version of s3 client in aws sdk version 3

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!