# AWS - Lambda Unauthenticated Access

{{#include ../../../banners/hacktricks-training.md}}

## Public Function URL

It's possible to relate a **Lambda** with a **public function URL** that anyone can access. It could contain web vulnerabilities.

### Public URL template

```
https://{random_id}.lambda-url.{region}.on.aws/
```

### Get Account ID from public Lambda URL

Just like with S3 buckets, Data Exchange and API gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public lambda URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\
This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones).

You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.

{{#include ../../../banners/hacktricks-training.md}}