Techniques
Sample rules
AWS New Lambda Layer Attached
- source: sigma
- technicques:
Description
Detects when a user attached a Lambda layer to an existing Lambda function. A malicious Lambda layer could execute arbitrary code in the context of the function’s IAM role. This would give an adversary access to resources that the function has access to.
Detection logic
condition: selection
selection:
eventName|startswith: UpdateFunctionConfiguration
eventSource: lambda.amazonaws.com
requestParameters.layers|contains: '*'