- Newest
- Most votes
- Most comments
Hello,
To securely call Lambda function URLs from CloudFront, including handling POST requests, here's a practical approach to avoid the Security Hub public access warning:
1.Use CloudFront with OAC: Set up Origin Access Control (OAC) to restrict access to your Lambda function URL from CloudFront. This ensures only CloudFront can access your Lambda, which addresses the Security Hub warning.
2.Handling POST Requests: The challenge with POST requests is manually calculating the x-amz-content-sha256 header. Since this can be complex, especially for larger payloads (up to 6MB), using Lambda@Edge might not be feasible due to its 1MB size limit for POST request bodies.
3.Alternative Approach: Instead of using Lambda@Edge, consider these options:
-
API Gateway with Lambda Integration: This is a more secure and flexible approach, allowing you to handle larger payloads (up to 10MB for HTTP APIs). You can configure API Gateway to work with CloudFront and set up authentication (e.g., AWS IAM, Lambda authorizers).
-
Signed Cookies or Signed URLs: Use CloudFront signed cookies or signed URLs to restrict access. These can help control who can access your content without directly dealing with x-amz-content-sha256 signatures.
4.Remove Public Access: Make sure to update the Lambda function policy to deny public access and only allow the CloudFront OAC or API Gateway to invoke the Lambda function. This will clear the Security Hub warning.
By using these methods, you can safely handle POST requests to Lambda function URLs through CloudFront, maintain secure access, and comply with best practices. For more details on CloudFront OAC with Lambda, check this guide. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.html
Hello,
To securely call Lambda function URLs from CloudFront including handling POST requests. To practical approach to avoid the Security Hub public access warning.
Use API Gateway Instead of Direct Lambda URLs
- Create an API Gateway HTTP API This will act as an intermediary between CloudFront and your Lambda function.
- Configure Lambda Integration Set up API Gateway to invoke your Lambda function for both GET and POST requests. This approach allows you to handle larger payloads up to 10MB, which is beyond the 1MB limitation of Lambda@Edge.
- Enable Authorization Use API Gateway’s built-in authentication mechanisms EX. AWS IAM, Lambda authorizers, or API keys to secure access.
Set Up CloudFront to Point to API Gateway
- Update CloudFront Origin Point CloudFront to the API Gateway endpoint instead of directly to the Lambda function URL.
- Cache Behavior Configure CloudFront’s cache behavior to forward all necessary headers, cookies, and query strings to API Gateway.
Remove Public Access to Lambda
- Update Lambda Function Policy Restrict the Lambda function policy to only allow invocations from the API Gateway. This will remove the public access issue and clear the Security Hub warning.
- Disable Public URLs If you were using Lambda function URLs, disable or remove them after configuring API Gateway.
Advantages of This Solution
- Security By using API Gateway, you have full control over who can access your Lambda function, solving the public access issue highlighted by Security Hub.
- POST Request Handling API Gateway handles larger POST requests up to 10MB eliminating the need for complex x-amz-content-sha256 calculations.
- Compliance This setup fully addresses the Security Hub recommendation and ensures your Lambda function is not publicly accessible.
Use CloudFront OAC Origin Access Control
- If you prefer to restrict access to your API Gateway further, consider using CloudFront Origin Access Control (OAC) to ensure only CloudFront can access your API Gateway endpoint.
https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 4 months ago
- asked 5 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago