LoFP LoFP / lambda layer being attached may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

Sample rules

AWS New Lambda Layer Attached

Description

Detects when a user attached a Lambda layer to an existing Lambda function. A malicious Lambda layer could execute arbitrary code in the context of the function’s IAM role. This would give an adversary access to resources that the function has access to.

Detection logic

condition: selection
selection:
  eventName|startswith: UpdateFunctionConfiguration
  eventSource: lambda.amazonaws.com
  requestParameters.layers|contains: '*'