'Restrict Lambda function URL access to CloudFront
AWS have recently released the Lambda function URLs feature which allows a function to be invoked via a URL.
I would like to allow my function to be invoked via a URL but only via CloudFront.
I don't want people to be able to bypass CloudFront and invoke the function directly.
Is there a way to configure this? I am aware that I can restrict the function URL by setting the auth type to AWS_IAM
but am not clear on how I then allow CloudFront to call it.
Solution 1:[1]
Here's what I did to make it work on my side :
go to the CloudFront page
click on create a new distribution
In section Origin domain you have to paste in your lambda function URL
Make sure to adjust the caching policy depending on what your lambda function consumes
You might want to create a dedicated policy in you want the cache key to depend on the query string, the cookies, etc... For my use case I created a new policy to take into account the query string
Solution 2:[2]
Currently, the only option I see is quite similar to how you would protect an ALB in a way that access is restricted to CloudFront:
Configure CloudFront to add a custom HTTP header to requests that it sends to the
Application Load Balancerlambda function URL.Configure the
Application Load BalancerLambda to onlyforwardprocess requests that contain the custom HTTP header.
My thoughts on approaches that may not work when using lambda function URLs:
IAM
auth (since I see no way to sign these requests origination from CloudFront, maybe that will change in the future when lambda function URLs become a first class citizen like S3-origins)- restricting access via security groups (because there are no SGs for lambda func URLs)
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Jeremy Caney |
Solution 2 | mana |