保護DataHogo
Security Encyclopedia/Cloud Provider Security
highCWE-284OWASP A01:2021

Cloud Function Public Invocation

Your Lambda or Cloud Function allows unauthenticated invocation, meaning anyone on the internet can trigger it without credentials.

How It Works

Cloud Functions deployed with --allow-unauthenticated (GCP) or with a resource-based policy allowing Principal: '*' to lambda:InvokeFunction (AWS) are callable by anyone. If the function performs sensitive operations (writes to a database, sends emails, charges payment methods), any internet user can trigger those operations without any authentication check.

Vulnerable Code
# BAD: GCP Cloud Function allowing unauthenticated invocation
gcloud functions deploy my-function \
  --trigger-http \
  --allow-unauthenticated  # anyone can invoke this

# BAD: AWS Lambda resource policy with public invocation
aws lambda add-permission \
  --function-name my-function \
  --principal "*" \
  --action lambda:InvokeFunction
Secure Code
# GOOD: GCP Cloud Function requiring authentication
gcloud functions deploy my-function \
  --trigger-http \
  --no-allow-unauthenticated  # requires valid Google identity token

# GOOD: AWS Lambda invoked only by API Gateway with auth
# Use API Gateway + Cognito authorizer or Lambda authorizer — no public direct invocation

Real-World Example

A startup deployed a GCP Cloud Function for their Stripe webhook handler with --allow-unauthenticated for simplicity. An attacker discovered the URL, replayed old webhook payloads, and triggered duplicate order fulfillments. The function should have verified the Stripe webhook signature and required authenticated invocation.

How to Prevent It

  • Never deploy Cloud Functions with --allow-unauthenticated unless they're truly public endpoints (like webhooks with signature verification)
  • For webhooks, use --no-allow-unauthenticated but verify the provider's signature inside the function
  • Use API Gateway as a front door with a proper authorizer rather than exposing Lambda directly
  • Apply least-privilege: only allow specific services (API Gateway, Event Bridge) to invoke the function
  • Audit all Lambda/Cloud Function resource-based policies for Principal: '*' entries

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

S3 Bucket Public Access

critical

Your S3 bucket is publicly readable due to a public ACL, disabled Block Public Access settings, or a wildcard bucket policy — anyone on the internet can list and download your files.

CWE-284OWASP A05:2021

Cloud Metadata SSRF

critical

Your app fetches user-supplied URLs without blocking cloud metadata endpoints like 169.254.169.254, letting attackers steal your cloud credentials via SSRF.

CWE-918OWASP A10:2021

AWS Credentials Hardcoded

critical

AWS access keys (starting with AKIA) or secret access keys are hardcoded in your source code, giving anyone who reads the code full access to your AWS account.

CWE-798OWASP A02:2021

IAM Overly Permissive Policy

high

Your IAM policy uses Action: '*' or Resource: '*', granting far more permissions than needed and turning any credential leak into a full account takeover.

CWE-269OWASP A01:2021