Bash script for checking Function URL in AWS Lambda

devops-aws

This Bash utility audits AWS Lambda functions for publicly accessible Function URLs. It enumerates functions in a region, checks URL config, and records only entries where AuthType is NONE.

How It Works

  • Lists Lambda function names in a target region
  • Calls get-function-url-config for each function
  • Filters by AuthType = NONE
  • Saves findings to a report file

Bash Script

#!/bin/bash
REGION= # us-east-1, eu-west-1 ... etc.
OUTPUT_FILE="public_lambda_urls.txt"

# Get list of Lambda functions
FUNCTIONS=$(aws lambda list-functions --region $REGION --query 'Functions[*].FunctionName' --output text)

# Clear output file
> $OUTPUT_FILE

# Iterate through each function
for FUNCTION in $FUNCTIONS; do
# Check if Function URL exists
URL_CONFIG=$(aws lambda get-function-url-config --function-name $FUNCTION --region $REGION 2>/dev/null)
if [ $? -eq 0 ]; then
# Check if AuthType is NONE (public)
AUTH_TYPE=$(echo $URL_CONFIG | jq -r '.AuthType')
if [ "$AUTH_TYPE" = "NONE" ]; then
echo "Function: $FUNCTION has public Function URL"
echo "Function: $FUNCTION, URL: $(echo $URL_CONFIG | jq -r '.FunctionUrl')" >> $OUTPUT_FILE
fi
fi
done

echo "Results saved to $OUTPUT_FILE"

Operational Notes

  • Set REGION explicitly before running.
  • Requires AWS CLI credentials with Lambda read permissions.
  • Requires jq for JSON parsing.
  • Consider running this as a scheduled security audit job.

Official Documentation

Leave a Reply

Your email address will not be published. Required fields are marked *

Support us · 💳 Monobank