1
00:00:00,210 --> 00:00:03,030
‫So now let's talk about Lambda function URL.

2
00:00:03,030 --> 00:00:05,400
‫What if you wanted to just expose your Lambda function

3
00:00:05,400 --> 00:00:09,570
‫as an HTTP endpoint without having to go through the hassle

4
00:00:09,570 --> 00:00:13,590
‫of using API Gateway or an application balancer?

5
00:00:13,590 --> 00:00:14,940
‫Well, you can use function URL,

6
00:00:14,940 --> 00:00:17,220
‫and this gives you a unique URL endpoint

7
00:00:17,220 --> 00:00:18,450
‫that will never change

8
00:00:18,450 --> 00:00:20,820
‫for your Lambda function, which looks like this.

9
00:00:20,820 --> 00:00:24,000
‫And it supports IPv4 and IPv6.

10
00:00:24,000 --> 00:00:24,930
‫So your Lambda function,

11
00:00:24,930 --> 00:00:27,570
‫once you publish it as a function URL,

12
00:00:27,570 --> 00:00:30,870
‫you will be able to access it and perform HTTPS requests

13
00:00:30,870 --> 00:00:33,840
‫to it using web browser, using the command line,

14
00:00:33,840 --> 00:00:37,620
‫using Postman or really any HTTP clients.

15
00:00:37,620 --> 00:00:41,220
‫Now, this function URL can only be accessed

16
00:00:41,220 --> 00:00:43,500
‫through the public internet only.

17
00:00:43,500 --> 00:00:45,450
‫If you're trying to access it privately

18
00:00:45,450 --> 00:00:48,660
‫and want a private URL, this is not going to work.

19
00:00:48,660 --> 00:00:51,540
‫Now, in case you are accessing this function URL

20
00:00:51,540 --> 00:00:52,710
‫from a different domain,

21
00:00:52,710 --> 00:00:55,410
‫you can use CORS configuration as we'll see.

22
00:00:55,410 --> 00:00:56,250
‫And for security,

23
00:00:56,250 --> 00:00:59,460
‫we have resource-based policies to manage access

24
00:00:59,460 --> 00:01:01,170
‫to our Lambda function URL.

25
00:01:01,170 --> 00:01:03,930
‫This can be applied to any function alias

26
00:01:03,930 --> 00:01:06,810
‫or to your latest version of your function

27
00:01:06,810 --> 00:01:10,260
‫but you cannot apply it to specific function versions.

28
00:01:10,260 --> 00:01:12,600
‫You can create and configure it using the console

29
00:01:12,600 --> 00:01:14,220
‫or the API.

30
00:01:14,220 --> 00:01:15,420
‫And if you need throttling

31
00:01:15,420 --> 00:01:16,530
‫because you want your Lambda function

32
00:01:16,530 --> 00:01:18,750
‫to only run up to a specific amount,

33
00:01:18,750 --> 00:01:21,120
‫you can use the reserved concurrency feature of Lambda

34
00:01:21,120 --> 00:01:24,900
‫to control how much a Lambda function can run.

35
00:01:24,900 --> 00:01:27,690
‫Now, for the URL security, how does it work?

36
00:01:27,690 --> 00:01:29,640
‫Well, we have resource-based policies

37
00:01:29,640 --> 00:01:31,770
‫and this gets attached to your Lambda function

38
00:01:31,770 --> 00:01:35,070
‫and this is going to be able to say which other accounts

39
00:01:35,070 --> 00:01:38,700
‫or specific IP ranges for CIDR or IAM principals

40
00:01:38,700 --> 00:01:41,100
‫can access our Lambda function URL.

41
00:01:41,100 --> 00:01:41,933
‫And for CORS,

42
00:01:41,933 --> 00:01:44,760
‫this is similar to what we've seen in Amazon S3.

43
00:01:44,760 --> 00:01:46,500
‫So if you call your Lambda function URL

44
00:01:46,500 --> 00:01:47,700
‫from a different domain,

45
00:01:47,700 --> 00:01:49,920
‫then you must have CORS security in place.

46
00:01:49,920 --> 00:01:54,600
‫So in this example, our S3 bucket is fronted by CloudFront

47
00:01:54,600 --> 00:01:57,990
‫to which we have a custom URL as example.com.

48
00:01:57,990 --> 00:02:01,080
‫But the API is hosted as a Lambda function URL,

49
00:02:01,080 --> 00:02:03,030
‫which is api.example.com.

50
00:02:03,030 --> 00:02:04,230
‫Because the domains are different,

51
00:02:04,230 --> 00:02:06,150
‫you need to set the CORS setting

52
00:02:06,150 --> 00:02:09,480
‫on your Lambda function URL to make things work.

53
00:02:09,480 --> 00:02:10,470
‫Now, for security.

54
00:02:10,470 --> 00:02:13,920
‫So if you set AuthType NONE, then this allows public

55
00:02:13,920 --> 00:02:16,590
‫and unauthenticated access to your Lambda function,

56
00:02:16,590 --> 00:02:17,460
‫which is cool.

57
00:02:17,460 --> 00:02:19,560
‫And then the resource-based policy is what's going

58
00:02:19,560 --> 00:02:22,710
‫to determine there are not a request is going to be allowed

59
00:02:22,710 --> 00:02:23,670
‫on your function.

60
00:02:23,670 --> 00:02:27,300
‫And so you must grant public access as the resource policy.

61
00:02:27,300 --> 00:02:31,110
‫So here what I have is allow principal star

62
00:02:31,110 --> 00:02:35,370
‫for InvokeFunctionUrl, and then this allows people to go

63
00:02:35,370 --> 00:02:37,950
‫through the internet and access our Lambda function

64
00:02:37,950 --> 00:02:40,290
‫as a Lambda function URL.

65
00:02:40,290 --> 00:02:43,140
‫If you set AuthType to be AWS_IAM,

66
00:02:43,140 --> 00:02:44,490
‫then IAM is going to be used

67
00:02:44,490 --> 00:02:46,290
‫to authenticate and authorize request

68
00:02:46,290 --> 00:02:47,370
‫to your Lambda function.

69
00:02:47,370 --> 00:02:50,400
‫And so both the principal identity-based policy

70
00:02:50,400 --> 00:02:54,450
‫and the resource-based policies are going to be evaluated.

71
00:02:54,450 --> 00:02:55,860
‫And so you need to make sure

72
00:02:55,860 --> 00:02:57,300
‫that between these two things,

73
00:02:57,300 --> 00:03:00,420
‫there is a lambda:InvokeFunctionUrl permission.

74
00:03:00,420 --> 00:03:02,610
‫Now, if we are within the same account,

75
00:03:02,610 --> 00:03:05,100
‫then if the identity-based policy

76
00:03:05,100 --> 00:03:08,790
‫or the resource-based policy allows this API call

77
00:03:08,790 --> 00:03:09,623
‫and you're good to go.

78
00:03:09,623 --> 00:03:11,610
‫This is very similar to S3 buckets.

79
00:03:11,610 --> 00:03:13,230
‫But if you're doing cross accounts,

80
00:03:13,230 --> 00:03:15,630
‫you need have both the identity policy

81
00:03:15,630 --> 00:03:18,150
‫and the resource-based policy as allow.

82
00:03:18,150 --> 00:03:20,520
‫So here in this example, on account A,

83
00:03:20,520 --> 00:03:22,710
‫I've attached a resource-based policy,

84
00:03:22,710 --> 00:03:24,870
‫and if you look at the principal part of it,

85
00:03:24,870 --> 00:03:26,970
‫this actually authorizes the role

86
00:03:26,970 --> 00:03:29,910
‫in account B to access my Lambda function

87
00:03:29,910 --> 00:03:30,743
‫but that's not enough

88
00:03:30,743 --> 00:03:33,180
‫because we are in a cross account setting.

89
00:03:33,180 --> 00:03:35,430
‫The IAM role of account B

90
00:03:35,430 --> 00:03:38,310
‫must also have an identity-based policy

91
00:03:38,310 --> 00:03:41,490
‫that allows to invoke the Lambda function URL

92
00:03:41,490 --> 00:03:42,870
‫of the other accounts.

93
00:03:42,870 --> 00:03:46,170
‫When these things are both in place, then security works

94
00:03:46,170 --> 00:03:48,690
‫and the IAM role can use the Lambda function URL

95
00:03:48,690 --> 00:03:49,819
‫of account A.

96
00:03:49,819 --> 00:03:52,020
‫Okay, so that's it for this lecture.

97
00:03:52,020 --> 00:03:54,970
‫I hope you liked it and I will see you in the next lecture.