Techniques
Sample rules
AWS Lambda Function Policy Updated to Allow Cross-Account Invocation
- source: elastic
- technicques:
- T1546
- T1578
Description
Identifies a change to an AWS Lambda function resource policy that grants invoke permissions to an AWS account principal. Using AddPermission, an adversary can authorize a principal in another account to call a function, creating a cross-account backdoor for execution or for relaying data to attacker-controlled infrastructure without modifying the function’s code. This rule excludes public grants (principal set to “*”), which are covered by a separate rule, and grants to AWS service principals, which are common for legitimate event triggers.
Detection logic
any where data_stream.dataset == "aws.cloudtrail"
and event.provider == "lambda.amazonaws.com"
and event.outcome == "success"
and event.action : "AddPermission*"
and stringContains(aws.cloudtrail.request_parameters, "lambda:InvokeFunction")
and not stringContains(aws.cloudtrail.request_parameters, "principal=\\*")
and not stringContains(aws.cloudtrail.request_parameters, ".amazonaws.com")