Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Function URL security risks #4

Open
marshall7m opened this issue Aug 7, 2022 · 0 comments
Open

Function URL security risks #4

marshall7m opened this issue Aug 7, 2022 · 0 comments
Labels
enhancement New feature or request

Comments

@marshall7m
Copy link
Owner

Given the function URL is public if an attacker gets a hold of the correct URL, the attacker can execute a DDOS attack using the URL and max out the reserved concurrency limit for the Lambda Function resulting in a higher execution cost
Possible Solutions:
- Have a Cloudwatch alarm notify when the Lambda function invocation count passes a specified threshold over a duration of time
- Have a script that automatically creates a new Lambda URL and updates the URL for the webhook source
- Use AWS_IAM authentification for the Lambda Function URL and create a pre-signed function URL using machine user credentials that are allowed to invoke the URL. The URL will use AWS V4 signature authentication that's provided within the query parameters since the webhook source predetermines the headers. The signature will not include the payload since the payload is dynamic.

Steps:
    - create a machine IAM user that will sign the approval request query parameter authorization
    - user will need iam permission to invoke function
    - module will provision the machine user
    - machine user will be stored as a ssm secure string as {"key": <key>, "secret": <secret>}
    - approval request will use the access key to create the aws v4 query string
@marshall7m marshall7m added the enhancement New feature or request label Aug 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant