Serverless 101: Deploying your first AWS Lambda with a Function URL

If you want to get a tiny web endpoint running without wiring API Gateway, load balancers, or extra infra, AWS Lambda Function URLs are a simple, modern way to expose a Lambda as an HTTPS endpoint. This short guide walks you through the idea, a minimal SAM-based project, and the security choices to be careful about — so you can deploy a working function quickly and safely. (docs.aws.amazon.com)

What is a Lambda Function URL — and why use it?

A Function URL is a dedicated HTTPS endpoint automatically created for a single Lambda function. It’s ideal for small HTTP handlers, webhooks, or quick proofs-of-concept where full API Gateway features are overkill. Unlike API Gateway, a Function URL points directly at one function and keeps the setup minimal. (docs.aws.amazon.com)

When you’re learning serverless, Function URLs let you focus on the code and basic cloud concepts (IAM, packaging, deployment) without adding an extra service layer. Later, if you need advanced routing, usage plans, or WAF integration, you can migrate to API Gateway. (docs.aws.amazon.com)

What you’ll need

• An AWS account and credentials configured (aws cli).
• AWS SAM CLI installed (we’ll use sam init / sam build / sam deploy). (github.com)
• A supported runtime (Node.js 20 or 22 are good choices today; Node.js 18 reached end-of-life in 2025). Pick a current runtime from the AWS runtime list when you create the project. (docs.aws.amazon.com)

Quick plan

1. Initialize a SAM “hello world” app.
2. Add a FunctionUrlConfig to the function in the SAM template.
3. Build and deploy with SAM.
4. Test the HTTPS endpoint.

Minimal example — files you’ll create

Below is the essentials. The SAM template uses the FunctionUrlConfig property to create the Function URL alongside the Lambda.

template.yaml (SAM)

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Hello Lambda Function URL example

Resources:
  HelloFunction:
    Type: AWS::Serverless::Function
    Properties:
      Runtime: nodejs22.x
      Handler: index.handler
      CodeUri: hello/
      MemorySize: 128
      Timeout: 10
      FunctionUrlConfig:
        AuthType: NONE       # see security notes below
        Cors:
          AllowOrigins:
            - '*'

Outputs:
  HelloFunctionUrlEndpoint:
    Description: "Function URL endpoint"
    Value: !GetAtt HelloFunctionUrl.FunctionUrl

This creates a function and a Function URL that uses the $LATEST version by default. You can also target an alias/qualified version or set AuthType to AWS_IAM for authenticated calls. The FunctionUrlConfig property is supported directly in SAM templates. (docs.aws.amazon.com)

hello/index.js (simple handler)

exports.handler = async (event) => {
  return {
    statusCode: 200,
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ message: 'Hello from Lambda Function URL!' })
  };
};

Build and deploy (SAM commands)

From the project root:

• Initialize (if you started from scratch): sam init (choose hello-world template or manual). (github.com)
• Build: sam build
• Deploy (guided first time): sam deploy –guided
  The deploy flow packages your code, creates a CloudFormation stack, and prints outputs — including the Function URL via the template Output. (docs.aws.amazon.com)

Example quick commands:

sam init --app-template hello-world --runtime nodejs22.x --name hello-furl
# edit template.yaml + hello/index.js
sam build
sam deploy --guided

Testing the endpoint

If you used AuthType: NONE, the URL is publicly reachable: curl https://.lambda-url..on.aws If AuthType: AWS_IAM, you must sign requests with SigV4 or use an IAM-authenticated tool (Postman supports SigV4); the docs explain required permissions (`lambda:InvokeFunctionUrl` + `lambda:InvokeFunction`) and how the resource policy and AuthType work together. Note: as of October 2025 new function URLs require both lambda:InvokeFunctionUrl and lambda:InvokeFunction permissions for invocation. ([docs.aws.amazon.com](https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html?utm_source=openai))

Security and production maturity

A few practical cautions before you go live:

• AuthType NONE = public. Useful for demos and webhooks, but anyone can call the URL. If you need access control, use AWS_IAM or implement auth inside your function. (docs.aws.amazon.com)
• Resource-based policies: a Function URL’s resource policy defines who can invoke it; review IAM Access Analyzer findings for inadvertently public endpoints. (aws.amazon.com)
• CORS and browsers: configure CORS in FunctionUrlConfig if the function will be called from web pages. (docs.aws.amazon.com)
• Monitoring & throttling: Function URLs are backed by Lambda — CloudWatch metrics and logs apply. For heavy production traffic, consider API Gateway for richer throttling, request transformation, and WAF. (docs.aws.amazon.com)

When to choose Function URL vs API Gateway

• Choose Function URL for: single-function endpoints, quick prototypes, or webhooks where simplicity matters. (docs.aws.amazon.com)
• Choose API Gateway when you need routing, request validation, usage plans, custom domains with advanced controls, or edge-optimized caching.

Final tips

• Keep your runtime current (check AWS docs for supported runtimes and planned deprecations). Node.js 20/22 are the safe picks right now. (docs.aws.amazon.com)
• Use sam deploy –guided the first time so SAM writes a samconfig.toml; subsequent deploys are quick. (docs.aws.amazon.com)
• For local development, SAM supports local invocation and remote invoke helpers that can test cloud-deployed functions — handy for troubleshooting after deploy. (docs.aws.amazon.com)

If you want, I can:

• generate a complete starter repo you can copy, or
• show a small PowerShell/Bash script that zips and deploys a single-file function with the AWS CLI (no SAM), or
• walk through switching AuthType to AWS_IAM and an example IAM policy.

Which would help you get this running fastest?