I'm currently working on personal projects where I use AWS Lambda functions without setting them up in a VPC. These functions have publicly accessible URLs and are set up with AWS IAM for authentication. I'm using a Lambda@Edge function in CloudFront to sign requests to the Lambda function URL, which means anyone who guesses the URL might get a 403 Forbidden message if they try to access it. However, they can still reach the function URL. I'm curious about the potential security vulnerabilities this setup poses compared to running the function within a VPC. I realize that I won't have the same layer of WAF and DDoS protections that I would have with CloudFront. While I'm not overly concerned someone would target my setup, I wonder about the implications of this configuration on security. My Lambda function also interacts with DynamoDB, makes requests to the internet, and reads/writes to an S3 bucket. Thanks for any insights!
3 Answers
You're right that if the request signature is invalid, the Lambda isn't executed. You're not racking up bills for failed attempts. Also, consider that WAF and DDoS protections won't shield you from hefty costs if someone tries to exploit the function. For safety, implement aggressive rate limiting, but keep in mind it could disrupt legitimate traffic. For example, I disabled mine when it got in the way of automated tests. It's a balancing act!
Is the data you're working with sensitive? Because if it is, you have to weigh the risk; AWS IAM can be tricky to exploit, but not impossible. There are many entities scanning for open resources. I had a similar experience with a lightweight instance on Lightsail—my access logs were quite eye-opening!
Thanks for the insight! My projects aren't handling sensitive information, but I’m trying to treat them as if they were enterprise projects to improve my skills. It’s all a learning experience!
If you're saying that a Lambda's Function URL isn't secure, then it raises a red flag about other AWS services that also rely on IAM for security. The key point is IAM protects against misuse; if the request signature fails, the Lambda won't be invoked. You can check your CloudWatch logs to confirm this, and typically you're not charged for failed authentication attempts.
That makes sense! I need my Lambda function to access the internet, so I guess I'd require a NAT gateway if it's in a VPC. But you brought up a good point about VPCs not affecting how Lambda functions are invoked.
Thanks for clarifying the @Edge function was mainly for handling request payloads. I'm using it because a few requests need to handle an HTTP body. I'd thought WAF had a more complex rate limiting setup. But yeah, for my small projects, I don't get much traffic, so I just hope for the best.