AWS
Cloud Offensive
Red Team
Breaking Down AWS Lambda Function URLs as a Pentester
// published · 2025-03-14
overview
AWS Lambda Function URLs introduce a direct HTTP endpoint for your Lambda functions — no API Gateway required. From a pentester's perspective, this creates a new and often overlooked attack surface. We walk through how Function URLs work, how to discover them during recon, and how misconfigured auth modes (NONE vs AWS_IAM) can lead to unauthenticated code execution.
timestamps
- 00:00Intro — what are Lambda Function URLs?
- 00:57AWS Lambda and Lambda Function URLs explained
- 01:56Enumeration cases
- 03:15CloudFoxable
- 03:48Furls1 (manual)
- 06:39Furls1 (automation - cloudfox)
- 08:28Furls2 (manual)
- 11:27Furls2 (automation - cloudfox)
- 12:15Conclusions and outro
commands used
list all lambda functions in the account
# reveals function names, runtimes, and assigned IAM roles
aws --profile cloudfoxable lambda list-functions
get configuration of a specific function
# returns runtime, env vars, IAM role, VPC config, and timeout
aws --profile cloudfoxable lambda get-function-configuration \
--function-name furls1
check if a function url is attached
# AuthType: NONE = publicly accessible, AWS_IAM = requires signed requests
aws --profile cloudfoxable lambda list-function-url-configs \
--function-name furls1
cloudfox — available modules
# list all CloudFox modules for AWS enumeration
cloudfox aws -h
cloudfox — enumerate lambda functions
# outputs function names, roles, and any attached Function URLs
cloudfox aws lambda -p cloudfoxable --outdir .
cloudfox — scan for exposed endpoints
# finds all exposed endpoints across services, including Function URLs
cloudfox aws endpoints -p cloudfoxable --outdir .
list functions again — find additional targets
aws --profile cloudfoxable lambda list-functions
inspect second function — check for hardcoded secrets
# hardcoded secrets in env vars are a common misconfiguration — check carefully
aws --profile cloudfoxable lambda get-function-configuration \
--function-name auth-me
check if auth-me has a function url attached
aws --profile cloudfoxable lambda list-function-url-configs \
--function-name auth-me
cloudfox — extract env vars across all services
# scans Lambda, ECS, EC2 and more — surfaces API keys, DB strings, secrets in one pass
cloudfox aws env-vars -p cloudfoxable --outdir .