AWS Lambda Function URL Created with Public Access

Jun 23, 2026 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS Lambda Use Case: Threat Detection Tactic: Persistence Tactic: Defense Evasion Resources: Investigation Guide ·

Share on:

Identifies the creation or update of an AWS Lambda function URL configured with an authentication type of NONE, which exposes the function to unauthenticated invocation directly from the public internet. Adversaries can use a public function URL to establish a durable, internet-reachable entry point for command and control, data egress, or on-demand execution of attacker-controlled code, bypassing the need for valid AWS credentials to invoke the function. Function URLs with public access should be rare and deliberate, so this configuration warrants review.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/06/18"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation or update of an AWS Lambda function URL configured with an authentication type of NONE, which
 11exposes the function to unauthenticated invocation directly from the public internet. Adversaries can use a public
 12function URL to establish a durable, internet-reachable entry point for command and control, data egress, or on-demand
 13execution of attacker-controlled code, bypassing the need for valid AWS credentials to invoke the function. Function
 14URLs with public access should be rare and deliberate, so this configuration warrants review.
 15"""
 16false_positives = [
 17    """
 18    Some public-facing applications, webhooks, and lightweight APIs legitimately use Lambda function URLs with no
 19    authentication and enforce access control elsewhere. Verify the function, the principal in
 20    `aws.cloudtrail.user_identity.arn`, and the intended exposure with the owning team. Known public endpoints can be
 21    excluded after validation.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26interval = "5m"
 27language = "eql"
 28license = "Elastic License v2"
 29name = "AWS Lambda Function URL Created with Public Access"
 30note = """## Triage and analysis
 31
 32### Investigating AWS Lambda Function URL Created with Public Access
 33
 34A Lambda function URL is a dedicated HTTPS endpoint for a function. When configured with `authType=NONE`, anyone on the internet can invoke the function without AWS authentication. Adversaries use this to create a public, persistent entry point for command and control, data exfiltration, or running attacker-controlled code without needing AWS credentials.
 35
 36This rule detects successful `CreateFunctionUrlConfig` and `UpdateFunctionUrlConfig` calls where the auth type is set to NONE.
 37
 38### Possible investigation steps
 39
 40- Identify the actor in `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`, and review `source.ip` and `user_agent.original` to determine how the change was made.
 41- Inspect `aws.cloudtrail.request_parameters` for the `functionName` and the auth type, and review `aws.cloudtrail.response_elements` for the resulting `functionUrl`.
 42- Determine whether the function is intended to be public and whether the owning team requested an unauthenticated endpoint.
 43- Review the function's code, execution role, and recent changes (`UpdateFunctionCode`, `UpdateFunctionConfiguration`, `AddPermission`) for signs of tampering.
 44- Correlate with other activity by the same principal, and check the function's invocation and access logs for traffic from unexpected sources after the URL was exposed.
 45
 46### False positive analysis
 47
 48- Public webhooks, simple APIs, and front-end integrations sometimes use unauthenticated function URLs intentionally. Confirm the exposure is approved and exclude known public endpoints on `functionName` or `aws.cloudtrail.user_identity.arn` after validation.
 49
 50### Response and remediation
 51
 52- If the exposure is unauthorized, change the function URL auth type to `AWS_IAM` or delete the function URL configuration, and review the function code and execution role for compromise.
 53- Examine invocation logs for unauthenticated requests received while the URL was public and assess potential impact.
 54- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `lambda:CreateFunctionUrlConfig` and `lambda:UpdateFunctionUrlConfig` to trusted roles.
 55
 56### Additional information
 57
 58- [Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html)
 59- [Security and auth model for Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html)
 60"""
 61references = [
 62    "https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html",
 63    "https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html",
 64]
 65risk_score = 73
 66rule_id = "53bb8f53-3550-4805-b6bd-728ded8d5564"
 67severity = "high"
 68tags = [
 69    "Domain: Cloud",
 70    "Data Source: AWS",
 71    "Data Source: Amazon Web Services",
 72    "Data Source: AWS Lambda",
 73    "Use Case: Threat Detection",
 74    "Tactic: Persistence",
 75    "Tactic: Defense Evasion",
 76    "Resources: Investigation Guide",
 77]
 78timestamp_override = "event.ingested"
 79type = "eql"
 80
 81query = '''
 82any where data_stream.dataset == "aws.cloudtrail"
 83    and event.provider == "lambda.amazonaws.com"
 84    and event.outcome == "success"
 85    and (event.action : "CreateFunctionUrlConfig*" or event.action : "UpdateFunctionUrlConfig*")
 86    and stringContains(aws.cloudtrail.request_parameters, "authType=NONE")
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1133"
 94name = "External Remote Services"
 95reference = "https://attack.mitre.org/techniques/T1133/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0003"
100name = "Persistence"
101reference = "https://attack.mitre.org/tactics/TA0003/"
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1578"
106name = "Modify Cloud Compute Infrastructure"
107reference = "https://attack.mitre.org/techniques/T1578/"
108[[rule.threat.technique.subtechnique]]
109id = "T1578.005"
110name = "Modify Cloud Compute Configurations"
111reference = "https://attack.mitre.org/techniques/T1578/005/"
112
113
114
115[rule.threat.tactic]
116id = "TA0005"
117name = "Defense Evasion"
118reference = "https://attack.mitre.org/tactics/TA0005/"
119
120[rule.investigation_fields]
121field_names = [
122    "@timestamp",
123    "user.name",
124    "user_agent.original",
125    "source.ip",
126    "aws.cloudtrail.user_identity.arn",
127    "aws.cloudtrail.user_identity.type",
128    "aws.cloudtrail.user_identity.access_key_id",
129    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
130    "aws.cloudtrail.request_parameters",
131    "aws.cloudtrail.response_elements",
132    "event.action",
133    "event.outcome",
134    "cloud.account.id",
135    "cloud.region",
136]

Triage and analysis

Investigating AWS Lambda Function URL Created with Public Access

A Lambda function URL is a dedicated HTTPS endpoint for a function. When configured with authType=NONE, anyone on the internet can invoke the function without AWS authentication. Adversaries use this to create a public, persistent entry point for command and control, data exfiltration, or running attacker-controlled code without needing AWS credentials.

This rule detects successful CreateFunctionUrlConfig and UpdateFunctionUrlConfig calls where the auth type is set to NONE.

Possible investigation steps

Identify the actor in aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.type, and review source.ip and user_agent.original to determine how the change was made.
Inspect aws.cloudtrail.request_parameters for the functionName and the auth type, and review aws.cloudtrail.response_elements for the resulting functionUrl.
Determine whether the function is intended to be public and whether the owning team requested an unauthenticated endpoint.
Review the function's code, execution role, and recent changes (UpdateFunctionCode, UpdateFunctionConfiguration, AddPermission) for signs of tampering.
Correlate with other activity by the same principal, and check the function's invocation and access logs for traffic from unexpected sources after the URL was exposed.

False positive analysis

Public webhooks, simple APIs, and front-end integrations sometimes use unauthenticated function URLs intentionally. Confirm the exposure is approved and exclude known public endpoints on functionName or aws.cloudtrail.user_identity.arn after validation.

Response and remediation

If the exposure is unauthorized, change the function URL auth type to AWS_IAM or delete the function URL configuration, and review the function code and execution role for compromise.
Examine invocation logs for unauthenticated requests received while the URL was public and assess potential impact.
Rotate or restrict credentials for the principal if compromise is suspected, and constrain lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig to trusted roles.

Additional information

References

Creating and managing Lambda function URLs - AWS Lambda

Configure a Lambda function URL to assign an HTTP(S) endpoint to your Lambda function without having to integrate with other AWS services.

Read More
Control access to Lambda function URLs - AWS Lambda

Secure and limit access to your Lambda function URL using the AuthType parameter along with resource-based policies.

Read More