Restrict Lambda function URL access to CloudFront

Question

AWS have recently released the Lambda function URLs feature which allows a function to be invoked via a URL.

I would like to allow my function to be invoked via a URL but only via CloudFront.

I don't want people to be able to bypass CloudFront and invoke the function directly.

Is there a way to configure this? I am aware that I can restrict the function URL by setting the auth type to AWS_IAM but am not clear on how I then allow CloudFront to call it.

Answer 1

Here's what I did to make it work on my side :

1. go to the CloudFront page

2. click on create a new distribution

3. In section Origin domain you have to paste in your lambda function URL

   

4. Make sure to adjust the caching policy depending on what your lambda function consumes

   

You might want to create a dedicated policy in you want the cache key to depend on the query string, the cookies, etc... For my use case I created a new policy to take into account the query string

Answer 2

Currently, the only option I see is quite similar to how you would protect an ALB in a way that access is restricted to CloudFront:

1. Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer lambda function URL.

2. Configure the Application Load Balancer Lambda to only forward process requests that contain the custom HTTP header.

My thoughts on approaches that may not work when using lambda function URLs:

• IAM auth (since I see no way to sign these requests origination from CloudFront, maybe that will change in the future when lambda function URLs become a first class citizen like S3-origins)
• restricting access via security groups (because there are no SGs for lambda func URLs)