creating a lambda function url configuration may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

aws
sigma

Techniques

Sample rules

New AWS Lambda Function URL Configuration Created

source: sigma
technicques:

Description

Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function’s IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Detection logic

condition: selection
selection:
  eventName: CreateFunctionUrlConfig
  eventSource: lambda.amazonaws.com