feat(lambda-function): Checks for misconfigured function's URLs (#1148)

2026-02-10 06:45:08 +00:00 · 2022-05-23 10:46:19 +02:00
parent e2c7bc2d6d
commit 2939d5cadd
3 changed files with 151 additions and 2 deletions
--- a/checks/check_extra7179
+++ b/checks/check_extra7179
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7179="7.179"
+CHECK_TITLE_extra7179="[extra7179] Check Public Lambda Function URL"
+CHECK_SCORED_extra7179="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7179="EXTRA"
+CHECK_SEVERITY_extra7179="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra7179="AwsLambdaFunction"
+CHECK_ALTERNATE_check7179="extra7179"
+CHECK_SERVICENAME_extra7179="lambda"
+CHECK_RISK_extra7179='Publicly accessible services could expose sensitive data to bad actors.'
+CHECK_REMEDIATION_extra7179='Grant usage permission on a per-resource basis and applying least privilege principle.'
+CHECK_DOC_extra7179='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
+CHECK_CAF_EPIC_extra7179='Infrastructure Security'
+
+extra7179(){
+    # Check if Lambda function URL is public
+    # None --> Public
+    local PUBLIC_AUTH_TYPE="NONE"
+    # AWS_IAM --> Private
+    local PRIVATE_AUTH_TYPE="AWS_IAM"
+
+    for regx in ${REGIONS}; do
+        LIST_OF_FUNCTIONS=$("${AWSCLI}" lambda list-functions ${PROFILE_OPT} \
+            --region "${regx}" \
+            --query 'Functions[*].FunctionName' \
+            --output text 2>&1)
+        # Check errors
+        if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_FUNCTIONS}"; then
+            textInfo "${regx}: Access Denied trying to list Lambda functions" "${regx}"
+            continue
+        fi
+        if [[ -n "${LIST_OF_FUNCTIONS}" && $(tr '[:upper:]' '[:lower:]' <<< "${LIST_OF_FUNCTIONS}") != "none" ]]; then
+            for lambda_function in ${LIST_OF_FUNCTIONS}; do
+                AUTH_TYPE=$("${AWSCLI}" lambda list-function-url-configs ${PROFILE_OPT} \
+                    --function-name "${lambda_function}" \
+                    --region "${regx}" \
+                    --query 'FunctionUrlConfigs[0].AuthType' \
+                    --output text)
+                # Check errors
+                if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${AUTH_TYPE}"; then
+                    textInfo "${regx}: Access Denied trying to get Lambda functions URLs configuration" "${regx}"
+                    continue
+                fi
+
+                if [[ "${AUTH_TYPE}" == "${PUBLIC_AUTH_TYPE}" ]]; then
+                    textFail "${regx}: Lambda function ${lambda_function} has a publicly accessible function URL" "${regx}" "${lambda_function}"
+                elif [[ "${AUTH_TYPE}" == "${PRIVATE_AUTH_TYPE}" ]]; then
+                    textPass "${regx}: Lambda function ${lambda_function} has not a publicly accessible function URL" "${regx}" "${lambda_function}"
+                else
+                    textInfo "${regx}: Lambda function ${lambda_function} has not a function URL" "${regx}" "${lambda_function}"
+                fi
+            done
+        else
+            textInfo "${regx}: No Lambda functions found" "${regx}"
+        fi
+    done
+}
--- a/checks/check_extra7180
+++ b/checks/check_extra7180
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7180="7.180"
+CHECK_TITLE_extra7180="[extra7180] Check Lambda Function URL CORS configuration"
+CHECK_SCORED_extra7180="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7180="EXTRA"
+CHECK_SEVERITY_extra7180="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra7180="AwsLambdaFunction"
+CHECK_ALTERNATE_check7180="extra7180"
+CHECK_SERVICENAME_extra7180="lambda"
+CHECK_RISK_extra7180='Publicly accessible services could expose sensitive data to bad actors.'
+CHECK_REMEDIATION_extra7180='Grant usage permission on a per-resource basis and applying least privilege principle.'
+CHECK_DOC_extra7180='https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html'
+CHECK_CAF_EPIC_extra7180='Infrastructure Security'
+
+extra7180(){
+    for regx in ${REGIONS}; do
+        LIST_OF_FUNCTIONS=$("${AWSCLI}" lambda list-functions ${PROFILE_OPT} \
+            --region "${regx}" \
+            --query 'Functions[*].FunctionName' \
+            --output text 2>&1)
+        # Check errors
+        if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_FUNCTIONS}"; then
+            textInfo "${regx}: Access Denied trying to list Lambda functions" "${regx}"
+            continue
+        fi
+        if [[ -n "${LIST_OF_FUNCTIONS}" && $(tr '[:upper:]' '[:lower:]' <<< "${LIST_OF_FUNCTIONS}") != "none" ]]; then
+            for lambda_function in ${LIST_OF_FUNCTIONS}; do
+                # Check if Lambda function has an URL
+                LAMBDA_FUNCTION_URL=$("${AWSCLI}" lambda list-function-url-configs ${PROFILE_OPT} \
+                    --function-name "${lambda_function}" \
+                    --region "${regx}" \
+                    --query 'FunctionUrlConfigs[0].[FunctionUrl]' \
+                    --output text)
+                # Check errors
+                if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${AUTH_TYPE}"; then
+                    textInfo "${regx}: Access Denied trying to get Lambda functions URLs" "${regx}"
+                    continue
+                fi
+
+                if [[ "${LAMBDA_FUNCTION_URL}" != "None" ]]; then
+                    # Check CORS configuration
+                    CORS_ALLOW_ORIGINS=$("${AWSCLI}" lambda get-function-url-config ${PROFILE_OPT} \
+                    --function-name "${lambda_function}" \
+                    --region "${regx}" \
+                    --query 'Cors.AllowOrigins' \
+                    --output text)
+                    # Check errors
+                    if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${AUTH_TYPE}"; then
+                        textInfo "${regx}: Access Denied trying to get Lambda functions URLs configuration" "${regx}"
+                        continue
+                    fi
+
+                    # The * is on purpose to check allowed origins
+                    if [[ "${CORS_ALLOW_ORIGINS}" =~ "*" ]]; then
+                        textFail "$regx: Lambda function ${lambda_function} URL has a wide CORS configuration" "${regx}" "${lambda_function}"
+                    elif [[ "${CORS_ALLOW_ORIGINS}" == "None" ]]; then
+                        textFail "${regx}: Lambda function ${lambda_function} URL has not CORS configured" "${regx}" "${lambda_function}"
+                    else
+                        textPass "${regx}: Lambda function ${lambda_function} has not a wide CORS configuration" "${regx}" "${lambda_function}"
+                    fi
+
+                else
+                    textInfo "${regx}: Lambda function ${lambda_function} has not a function URL" "${regx}" "${lambda_function}"
+                fi
+            done
+        else
+            textInfo "${regx}: No Lambda functions found" "${regx}"
+        fi
+    done
+}
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -15,9 +15,9 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147,extra7148,extra7149,extra7150,extra7151,extra7152,extra7153,extra7154,extra7155,extra7156,extra7157,extra7158,extra7159,extra7160,extra7161,extra7162,extra7163,extra7164,extra7165,extra7166,extra7167,extra7168,extra7169,extra7170,extra7171,extra7172,extra7173,extra7174,extra7175,extra7176,extra7177,extra7178'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147,extra7148,extra7149,extra7150,extra7151,extra7152,extra7153,extra7154,extra7155,extra7156,extra7157,extra7158,extra7159,extra7160,extra7161,extra7162,extra7163,extra7164,extra7165,extra7166,extra7167,extra7168,extra7169,extra7170,extra7171,extra7172,extra7173,extra7174,extra7175,extra7176,extra7177,extra7178,extra7179,extra7180'

-# Extras 759 and 760 (lambda variables and code secrets finder are not included) 
+# Extras 759 and 760 (lambda variables and code secrets finder are not included)
 # to run detect-secrets use `./prowler -g secrets`

 # Extras 789 and 790 VPC trust boundaries are not included by default in Extras