Best way to modify the generated S3BucketNotifications lambda?

[b01f6b82b8a347f6045406b8f31f239d]

Hi,
we recently got a security finding for the s3 bucket notifications lambda function which is generated by the cdk.

Basically you "can" call the lambda with the ResponseURL set to any IP:Port combination and the lambda will execute an http put request without "checking" the ResponseURL parameter. Based on the response, especially when an exception is thrown (connection refused ..), you "can" see if the port is open or not( tcp port scan ).

Did you ever had such a problem and is there an easy way to modify the generated function like updating the code and removing the exception message from the response?

Thank you :)