Posted On: Apr 11, 2024

Starting today, customers can protect their AWS Lambda URL origins by using CloudFront Origin Access Control (OAC) to only allow access from designated CloudFront distributions. 

Lambda function URLs allow customers to implement single-function services like form validators, mobile payment processing, machine learning inference, and more. Many customers front their Lambda function URLs with CloudFront to accelerate content delivery. By doing so, they receive DDoS protection from AWS Shield Standard for free and can apply AWS Web Application Firewall (WAF) rules to protect their Lambda applications from malicious bots and common web exploits.

With this launch, customers can now use CloudFront OAC to authenticate access to Lambda function URLs from their designated CF distributions. OAC uses AWS Signature Version 4 (SigV4), allowing customers to block unintended users from directly accessing the function URLs. This improves the security posture because the potential threat surface of the URL endpoint is reduced. It ensures AWS Shield and WAF protection for all requests, as they must go through CloudFront where the security services are applied. Requiring authentication through CloudFront OAC also ensures every request benefits from consistent content delivery acceleration with CloudFront's global scale.

CloudFront OAC support for AWS Lambda function URL origins is now available worldwide except for CloudFront China region. You can enable OAC using the CloudFront Console, SDK, CLI, or CloudFormation. There are no additional fees associated with this feature. For more information, please refer to the CloudFront Developer Guide. To learn more about CloudFront, visit the CloudFront Getting Started page.