
Summary
This detection rule is designed to monitor the creation of AWS Lambda Function URLs, an action that, while legitimate, poses security risks such as unauthorized exposure to the function's IAM role. The rule triggers when a user invokes the 'CreateFunctionUrlConfig' API call, which registers a new function URL configuration allowing HTTP endpoints for existing Lambda functions. Since exposing these function URLs to the internet can lead to unwanted access, this rule aims to capture any attempts to create such configurations. False positives are acknowledged, particularly in environments where system administrators or trusted identities are responsible for creating these configurations, necessitating careful verification of user actions to distinguish between legitimate administrative tasks and potential threats.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
- Cloud Storage
Created: 2024-12-19