LoFP LoFP / lambda layer being attached from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

AWS Attached Malicious Lambda Layer

Description

Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function’s IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Detection logic

condition: selection
selection:
  eventName|startswith: UpdateFunctionConfiguration
  eventSource: lambda.amazonaws.com