LoFP LoFP / application teams and infrastructure-as-code pipelines routinely create event source mappings to wire data pipelines, queue consumers, and stream processors to lambda functions. verify whether the principal in `aws.cloudtrail.user_identity.arn`, the function, and the event source are expected for the workload. known deployment roles and automation can be excluded after validation.

Techniques

Sample rules

AWS Lambda Event Source Mapping Creation

Description

Identifies the creation of an AWS Lambda event source mapping, which connects an event source such as an Amazon SQS queue, an Amazon Kinesis or DynamoDB stream, an Amazon MSK or self-managed Apache Kafka topic, or an Amazon MQ broker to a Lambda function so the function is automatically invoked when new records arrive. Adversaries with “lambda:CreateEventSourceMapping” permissions can abuse this to establish stealthy, event-driven persistence and execution, or to continuously siphon records from a stream or queue into attacker-controlled function code. Because the function then runs on its own whenever the source produces events, this grants durable execution without any further interactive activity by the adversary.

Detection logic

data_stream.dataset: "aws.cloudtrail"
    and event.provider: "lambda.amazonaws.com"
    and event.action: CreateEventSourceMapping*
    and event.outcome: "success"