You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Given the function URL is public if an attacker gets a hold of the correct URL, the attacker can execute a DDOS attack using the URL and max out the reserved concurrency limit for the Lambda Function resulting in a higher execution cost
Possible Solutions:
- Have a Cloudwatch alarm notify when the Lambda function invocation count passes a specified threshold over a duration of time
- Have a script that automatically creates a new Lambda URL and updates the URL for the webhook source
- Use AWS_IAM authentification for the Lambda Function URL and create a pre-signed function URL using machine user credentials that are allowed to invoke the URL. The URL will use AWS V4 signature authentication that's provided within the query parameters since the webhook source predetermines the headers. The signature will not include the payload since the payload is dynamic.
Steps:
- create a machine IAM user that will sign the approval request query parameter authorization
- user will need iam permission to invoke function
- module will provision the machine user
- machine user will be stored as a ssm secure string as {"key": <key>, "secret": <secret>}
- approval request will use the access key to create the aws v4 query string
The text was updated successfully, but these errors were encountered:
Given the function URL is public if an attacker gets a hold of the correct URL, the attacker can execute a DDOS attack using the URL and max out the reserved concurrency limit for the Lambda Function resulting in a higher execution cost
Possible Solutions:
- Have a Cloudwatch alarm notify when the Lambda function invocation count passes a specified threshold over a duration of time
- Have a script that automatically creates a new Lambda URL and updates the URL for the webhook source
- Use
AWS_IAM
authentification for the Lambda Function URL and create a pre-signed function URL using machine user credentials that are allowed to invoke the URL. The URL will use AWS V4 signature authentication that's provided within the query parameters since the webhook source predetermines the headers. The signature will not include the payload since the payload is dynamic.The text was updated successfully, but these errors were encountered: