Exposure Scanner Scan My Account
Exposure Scanner / AWS Lambda

Lambda Function Public Exposure

Are your Lambda functions invocable from outside your account?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod-webhook-handler
Lambda function URL configured with AuthType NONE - publicly invocable
High
data-export-processor
Resource-based policy allows invoke from Principal: "*" without condition keys
Medium
internal-api-handler
Lambda function connected to API Gateway endpoint with no authorizer

What does AWS Lambda public exposure mean?

Lambda functions can be publicly exposed through function URL configurations without authentication, overly permissive resource-based policies, or API Gateway endpoints without authorization. This allows anyone to invoke your function and consume compute resources.

Why it matters

Publicly invocable Lambda functions can lead to unauthorized data access, unexpected costs from abuse, and potential code execution with your function's IAM role permissions. Functions with access to databases or internal APIs become a direct bridge into your infrastructure.

How to check manually

  1. 1Check Lambda console for Function URLs with AuthType: NONE
  2. 2Review resource-based policies for Principal: "*" without conditions
  3. 3Check API Gateway integrations for endpoints missing authorization
  4. 4Review CloudWatch Logs for unexpected invocations

Quick check with AWS CLI

Find Lambda functions with public URL endpoints
aws lambda list-functions --query "Functions[].FunctionName" --output text | xargs -I {} aws lambda get-function-url-config --function-name {} 2>/dev/null
Check a function's resource-based policy
aws lambda get-policy --function-name YOUR_FUNCTION_NAME --query "Policy" --output text | python3 -m json.tool
List all function URL configs with auth type
aws lambda list-function-url-configs --function-name YOUR_FUNCTION_NAME --query "FunctionUrlConfigs[].{URL:FunctionUrl,AuthType:AuthType}"

Common misconfigurations

Function URL configured with auth type NONE
Resource policy granting invoke access to all principals
API Gateway endpoint with no authorizer configured
Cross-account permissions broader than needed

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

API Gateway
Are your API endpoints accessible without proper authentication?
AWS IAM
Are your IAM policies granting access more broadly than intended?
Amazon VPC
Does your VPC configuration allow unintended internet access?