How to safely call Lambda function URLs from CloudFront, including POST

0

We are currently using CloudFront connected to a Lambda function URL. I am trying to respond to the Lambda function policies should prohibit public access warning on Securityhub, There appears to be an unacceptable restriction. https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-1

I was going to use OAC, but for the POST method I need to manually calculate x-amz-content-sha256. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.html

Checking the internet, using Lambda@Edge to manually calculate the x-amz-content-sha256 header is used as a workaround.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-edge-function-restrictions.html#lambda-at-edge-restrictions-request-body However, the Lambda@Edge post value is truncated at about 1 MB at most.

https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html Lambda can receive requests up to 6MB.

Does this mean that it is impossible to create a signature in Lambda@Edge when sending a post of 6MB, which is the maximum for Lambda? Also, if it is impossible to create a signature, does that mean that it is impossible to use the Lambda function URL with authentication, and that it is impossible to remove the SecurityHub warning? No client-side modification is possible.

2 Answers
2
Accepted Answer

Hello,

To securely call Lambda function URLs from CloudFront, including handling POST requests, here's a practical approach to avoid the Security Hub public access warning:

1.Use CloudFront with OAC: Set up Origin Access Control (OAC) to restrict access to your Lambda function URL from CloudFront. This ensures only CloudFront can access your Lambda, which addresses the Security Hub warning.

2.Handling POST Requests: The challenge with POST requests is manually calculating the x-amz-content-sha256 header. Since this can be complex, especially for larger payloads (up to 6MB), using Lambda@Edge might not be feasible due to its 1MB size limit for POST request bodies.

3.Alternative Approach: Instead of using Lambda@Edge, consider these options:

  • API Gateway with Lambda Integration: This is a more secure and flexible approach, allowing you to handle larger payloads (up to 10MB for HTTP APIs). You can configure API Gateway to work with CloudFront and set up authentication (e.g., AWS IAM, Lambda authorizers).

  • Signed Cookies or Signed URLs: Use CloudFront signed cookies or signed URLs to restrict access. These can help control who can access your content without directly dealing with x-amz-content-sha256 signatures.

4.Remove Public Access: Make sure to update the Lambda function policy to deny public access and only allow the CloudFront OAC or API Gateway to invoke the Lambda function. This will clear the Security Hub warning.

By using these methods, you can safely handle POST requests to Lambda function URLs through CloudFront, maintain secure access, and comply with best practices. For more details on CloudFront OAC with Lambda, check this guide. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.html

profile picture
EXPERT
answered 6 days ago
profile picture
EXPERT
reviewed 5 days ago
1

Hello,

To securely call Lambda function URLs from CloudFront including handling POST requests. To practical approach to avoid the Security Hub public access warning.

Use API Gateway Instead of Direct Lambda URLs

  • Create an API Gateway HTTP API This will act as an intermediary between CloudFront and your Lambda function.
  • Configure Lambda Integration Set up API Gateway to invoke your Lambda function for both GET and POST requests. This approach allows you to handle larger payloads up to 10MB, which is beyond the 1MB limitation of Lambda@Edge.
  • Enable Authorization Use API Gateway’s built-in authentication mechanisms EX. AWS IAM, Lambda authorizers, or API keys to secure access.

Set Up CloudFront to Point to API Gateway

  • Update CloudFront Origin Point CloudFront to the API Gateway endpoint instead of directly to the Lambda function URL.
  • Cache Behavior Configure CloudFront’s cache behavior to forward all necessary headers, cookies, and query strings to API Gateway.

Remove Public Access to Lambda

  • Update Lambda Function Policy Restrict the Lambda function policy to only allow invocations from the API Gateway. This will remove the public access issue and clear the Security Hub warning.
  • Disable Public URLs If you were using Lambda function URLs, disable or remove them after configuring API Gateway.

Advantages of This Solution

  • Security By using API Gateway, you have full control over who can access your Lambda function, solving the public access issue highlighted by Security Hub.
  • POST Request Handling API Gateway handles larger POST requests up to 10MB eliminating the need for complex x-amz-content-sha256 calculations.
  • Compliance This setup fully addresses the Security Hub recommendation and ensures your Lambda function is not publicly accessible.

Use CloudFront OAC Origin Access Control

  • If you prefer to restrict access to your API Gateway further, consider using CloudFront Origin Access Control (OAC) to ensure only CloudFront can access your API Gateway endpoint.

https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.html

EXPERT
answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions