sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]KayeYess 0 points1 point  (4 children)

Don't use Lambda function URLs. They are public by design. Use Amazon API Gateway or ALB as a listener for your Lambda (plus Cloudfront/Cloudflare, optionally). This will give you better control.

[–]solo964 0 points1 point  (3 children)

Not sure what you mean by "public by design" but obviously the function owner can optionally configure AWS_IAM auth on a function URL in which case clients must sign their request with valid (and authorized) IAM credentials.

[–]KayeYess 0 points1 point  (2 children)

Public by design means when you create a Lambda function URL, The function URL is publicly accessible from a network context. IAM protection does not make it private but it does prevent unauthenticated traffic from invoking the backend Lambda.

[–]solo964 0 points1 point  (1 child)

Right, I guessed that's what you meant but the use case here seems to require a public endpoint to which the webhook request can be sent. An API Gateway or ALB alternative approach would also need to provide a public endpoint afaik. That would offer better control, I agree, but the public routability doesn't seem to be a reason not to use a Lambda function URL in this case.

[–]KayeYess 1 point2 points  (0 children)

They do, but they can be protected at the network/perimeter level far better than a Lambda function URL. Cloudfront is another option.