Prevent people from creating open Lambda URLs and stop possible Data Leakage or other nasty things.
Source:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"lambda:CreateFunctionUrlConfig",
"lambda:UpdateFunctionUrlConfig"
],
"Resource": "arn:aws:lambda:*:*:function:*",
"Condition": {
"StringNotEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
}
}
]
}
SCP that allowed an admin to tag functions in a way that would unlock AuthType NONE:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"lambda:CreateFunctionUrlConfig",
"lambda:UpdateFunctionUrlConfig"
],
"Resource": "arn:aws:lambda:*:*:function:*",
"Condition": {
"StringNotEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
}
},
{
"Effect": "Deny",
"Action": [
"lambda:TagResource"
],
"Resource": "arn:aws:lambda:*:*:function:*",
"Condition": {
"StringEquals": {
"aws:RequestTag/AllowOpenUrl": "true"
},
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::*:role/Admin"
}
}
}
]
}