cloudfront: `FunctionUrlOrigin.withOriginAccessControl` does not grant required `lambda:InvokeFunction` for Dual Auth

[c19yamamoto]

Describe the bug

AWS Lambda has introduced a Dual Authentication (Dual Auth) requirement for Function URLs (FURLs) to enhance security. Invoking a FURL now requires granting both lambda:InvokeFunctionUrl and lambda:InvokeFunction permissions in the resource-based policy.

When using the aws_cloudfront_origins.FunctionUrlOrigin.withOriginAccessControl construct to integrate a Lambda Function URL with CloudFront's OAC (Origin Access Control), the generated resource-based policy only grants the CloudFront Service Principal lambda:InvokeFunctionUrl. It is currently missing the required lambda:InvokeFunction permission.

This omission is a breaking change that will likely cause CloudFront access to fail with a permission error once Lambda's temporary exception period (scheduled to end November 1, 2026) expires.

Last Known Working CDK Library Version

v2.221.0

Expected Behavior

When using aws_cloudfront_origins.FunctionUrlOrigin.withOriginAccessControl, the deployed Lambda Function's resource-based policy should automatically include the necessary permissions for the CloudFront Service Principal to successfully invoke the Function URL under the new Dual Auth model.

Specifically, the policy should contain a statement that grants both the lambda:InvokeFunctionUrl and the restricted lambda:InvokeFunction actions, along with the AWS:SourceArn condition to restrict it to the specific CloudFront Distribution.

Current Behavior

The deployment is currently successful, but the generated Lambda Resource-Based Policy for the CloudFront Service Principal is incomplete according to the new AWS Lambda Dual Auth requirements.

When inspecting the deployed Lambda Function's permissions in the AWS Management Console, the generated policy statement intended for the OAC only includes the lambda:InvokeFunctionUrl action, but lacks the required lambda:InvokeFunction action.

Reproduction Steps

Reproduction Steps

Please use the following minimal, self-contained CDK TypeScript snippet to reproduce the issue.

1. Deploy: Run cdk deploy.
2. Verify Policy: Navigate to the deployed Lambda Function in the AWS Console, check the Permissions tab, and view the Resource-based policy. The policy statement for cloudfront.amazonaws.com will be missing the lambda:InvokeFunction action.

import { Stack } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as lambda from 'aws-cdk-lib/aws-lambda';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';

export class FunctionUrlDistribution extends Stack {
  constructor(scope: Construct, id: string) {
    super(scope, id);

    // 1. Lambda Function
    const cdkIssue35872Function = new lambda.Function(this, 'cdkIssue35872Function', {
      runtime: lambda.Runtime.NODEJS_22_X,
      handler: 'index.handler',
      code: lambda.Code.fromInline('exports.handler = async () => ({ statusCode: 200, body: "Hello" });'),
    });

    // 2. Lambda Function URL with IAM Auth
    const functionUrl = cdkIssue35872Function.addFunctionUrl({
      authType: lambda.FunctionUrlAuthType.AWS_IAM,
    });

    // 3. CloudFront Distribution using FunctionUrlOrigin with OAC
    new cloudfront.Distribution(this, 'cdkIssue35872FunctionUrlDistribution', {
      defaultBehavior: {
        origin: origins.FunctionUrlOrigin.withOriginAccessControl(functionUrl),
      },
    });
  }
}

Additional Information/Context

Related PR:

• feat(lambda): refactor Function URL permissions #35725
• feat(cloudfront): function URL origin access control L2 construct #31339

AWS CDK Library version (aws-cdk-lib)

v2.221.0

AWS CDK CLI version

v2.31.24

Node.js Version

v24.10.0

OS

macOS

Language

TypeScript

[pahud]

Hi @c19yamamoto,

Thank you for the detailed report and for identifying this gap in our CloudFront Origins implementation. The analysis indicates this is a valid concern that needs to be addressed before the Lambda Dual Auth enforcement deadline on November 1, 2026.

Root Cause:

The FunctionUrlOriginWithOAC.addInvokePermission() method currently only grants lambda:InvokeFunctionUrl permission:

aws-cdk/packages/aws-cdk-lib/aws-cloudfront-origins/lib/function-url-origin.ts

Lines 144 to 153 in 75139b2

	private addInvokePermission(scope: Construct, options: cloudfront.OriginBindOptions) {
	const distributionId = options.distributionId;
	new lambda.CfnPermission(scope, `InvokeFromApiFor${options.originId}`, {
	principal: 'cloudfront.amazonaws.com',
	action: 'lambda:InvokeFunctionUrl',
	functionName: this.functionUrl.functionArn,
	sourceArn: `arn:${cdk.Aws.PARTITION}:cloudfront::${cdk.Aws.ACCOUNT_ID}:distribution/${distributionId}`,
	});
	}

However, as you correctly noted, AWS Lambda's Dual Auth requirement (introduced in PR #35725) now requires both lambda:InvokeFunctionUrl AND lambda:InvokeFunction (with invokedViaFunctionUrl: true condition) for Function URL invocations.

Solution:

The fix should add a second permission grant for lambda:InvokeFunction with the invokedViaFunctionUrl: true parameter, following the pattern implemented in grantInvokeUrl() in the Lambda module.

This appears to be a straightforward fix that would align the CloudFront Origins module with the Lambda module's Dual Auth implementation. Would you be interested in contributing a PR to address this? The change would need to:

1. Add a second CfnPermission for lambda:InvokeFunction with invokedViaFunctionUrl: true
2. Update relevant tests to verify both permissions are created
3. Update integration test snapshots

Let us know if you'd like to work on this, or we can prioritize it for the team to address given the November 2026 deadline.

[c19yamamoto]

@pahud
Thank you for the detailed feedback and analysis. I will submit a PR to address this.