Lambda functions CORS configuration should not allow all origins¶

Enable this rule to ensure that the CORS configuration for your Lambda functions does not allow all origins.

How to fix¶

Attribute authorization_type of aws_lambda_function_url must be non-empty.

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)¶

If you use terraform-aws-modules/lambda/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "lambda" {
  source  = "terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

Option 2: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_lambda_function_url.

resource "aws_lambda_function" "this" {
  function_name    = "example-abc123"
  role             = "arn:aws:iam::123456789012:role/example-role"
  runtime          = "python3.12"
  handler          = "index.handler"
  filename         = "lambda_function.zip"
  source_code_hash = "base64encodedhashabcdef1234567890=="
}

resource "aws_lambda_function_url" "this" {
  authorization_type = "NONE"
  function_name      = "example-function"
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: lambda_function_cors_configuration

• Checkov Check: CKV2_AWS_75

• Powerpipe Control: aws_compliance.control.lambda_function_cors_configuration