Skip to content
Ask AI about this
Help improve this page

Lambda functions CORS configuration should not allow all origins

A Lambda function URL with allow_origins = ["*"] lets any website make cross-origin requests to your function. That's a direct path for cross-site request forgery and data exfiltration: a malicious page can call your function using a victim's browser session, cookies, and authorization headers.

Restricting origins to known domains limits which sites can trigger browser-based requests. This matters most for functions that return sensitive data or perform writes, since the browser automatically attaches credentials on qualifying cross-origin requests.

Retrofit consideration

Existing functions with wildcard origins may have callers you haven't documented. Check CloudWatch logs and access patterns first, then restrict origins incrementally to avoid breaking legitimate callers.

Implementation

Choose the approach that matches how you manage Terraform.

If you use terraform-aws-modules/lambda/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "lambda" {
  source  = "terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

Use AWS provider resources directly. See docs for the resources involved: aws_lambda_function_url.

resource "aws_lambda_function" "this" {
  function_name    = "pofix-abc123"
  role             = "arn:aws:iam::123456789012:role/example-role"
  runtime          = "python3.12"
  handler          = "index.handler"
  filename         = "lambda_function.zip"
  source_code_hash = "base64encodedhashabcdef1234567890=="
}

resource "aws_lambda_function_url" "this" {
  authorization_type = "NONE"
  function_name      = "example-function"
}

What this control checks

This control targets the aws_lambda_function_url resource. The cors block's allow_origins argument must not contain "*". A passing configuration lists one or more specific origin URLs, for example ["https://app.example.com"]. It fails when allow_origins = ["*"] or when "*" appears alongside other origins.

If the cors block is omitted, the function URL returns no CORS headers and browsers enforce same-origin policy by default, so the control passes. When remediating, replace the wildcard with the exact scheme, domain, and port combinations that need cross-origin access.

Common pitfalls

  • Wildcard buried among specific origins

    Setting allow_origins = ["https://app.example.com", "*"] still grants universal access. The browser treats "*" as a full wildcard regardless of what else is in the list. Every element needs to be a specific origin.

  • Confusing allow_headers or allow_methods wildcards with allow_origins

    The cors block has separate arguments: allow_headers, allow_methods, and allow_origins. This control only checks allow_origins. A wildcard in allow_methods or allow_headers won't trigger a failure here, but it's still worth reviewing independently.

  • Missing cors block does not fail

    No cors block means no CORS headers, and browsers enforce same-origin policy by default. That's actually more restrictive than an explicit wildcard. Don't add a cors block with allow_origins = ["*"] to satisfy a perceived configuration requirement that doesn't exist.

  • Function URL auth_type NONE with open CORS

    When authorization_type = "NONE" and CORS allows all origins, anyone on the internet can invoke the function from any webpage without IAM auth. These two settings together are particularly dangerous. Pair this control with authorization checks to catch both conditions.

Audit evidence

Config rule evaluation results showing all in-scope Lambda function URLs as COMPLIANT, with no wildcard origin configurations, are the primary evidence. Screenshots from the Lambda function URL configuration page showing specific domains in the CORS allowed origins field support this. CloudTrail UpdateFunctionUrlConfig and CreateFunctionUrlConfig events establish a change history confirming wildcard origins were never set or were remediated. A scan report covering all accounts and regions rounds out the package.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: lambda_function_cors_configuration

  • Checkov Check: CKV2_AWS_75

  • Powerpipe Control: aws_compliance.control.lambda_function_cors_configuration

  • Prowler Check: awslambda_function_url_cors_policy

Last reviewed: 2026-03-09