lambda function owners may legitimately update the function policy to allow public invocation.

t1546
aws
elastic

Techniques

T1546

Sample rules

AWS Lambda Function Policy Updated to Allow Public Invocation

source: elastic
technicques:
- T1546

Description

Identifies when an AWS Lambda function policy is updated to allow public invocation. This rule specifically looks for the AddPermission API call with the Principal set to * which allows any AWS account to invoke the Lambda function. Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code.

Detection logic

event.dataset: aws.cloudtrail
    and event.provider: lambda.amazonaws.com
    and event.outcome: success
    and event.action: AddPermission*
    and aws.cloudtrail.request_parameters: (*lambda\:InvokeFunction* and *principal=\**)