This rule detects when an AWS Lambda Function URL is created or updated with authType set to NONE, thereby permitting unauthenticated, internet-facing invocation of the function. It analyzes CloudTrail logs (aws.cloudtrail) for successful CreateFunctionUrlConfig or UpdateFunctionUrlConfig actions from the Lambda service and checks request_parameters for authType=NONE. Publicly exposed Lambda Function URLs can provide adversaries with a durable entry point for command-and-control, data exfiltration, or on-demand code execution without AWS credentials. The rule correlates the change with the initiating principal and related activity to help determine legitimacy and potential compromise. It also captures the resulting function URL in the response elements for validation and triage. The detection aligns with MITRE ATT&CK concepts of External Remote Services (T1133) under Persistence and Modify Cloud Compute Infrastructure (T1578.005) under Defense Evasion, reflecting the risk of unauthorized exposure and configuration tampering. The rule includes guidance for investigation, validation of ownership, and steps for remediation and containment if unauthorized exposure is discovered.