LoFP / some organizations intentionally use lambda functions to provision iam principals, bootstrap accounts, or run identity automation (including roles and instance profiles). confirm the function name in `user_identity.arn`, deployment pipelines, and change records. exclude known automation roles or specific `session_context.session_issuer.arn` values after validation.

Techniques

• T1078
• T1098
• T1136

Sample rules

AWS IAM Sensitive Operations via Lambda Execution Role

• source: elastic
• technicques:
  • T1078
  • T1098
  • T1136

Description

Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: "AssumedRole"
    and (
        aws.cloudtrail.user_identity.invoked_by: "lambda.amazonaws.com"
        or user_agent.original : *AWS_Lambda*
    )
    and event.action: (
        "AddRoleToInstanceProfile" or
        "AddUserToGroup" or 
        "AttachGroupPolicy" or 
        "AttachRolePolicy" or
        "AttachUserPolicy" or
        "CreateAccessKey" or
        "CreateInstanceProfile" or
        "CreateRole" or
        "CreateUser" or
        "PutRolePolicy" or
        "PutUserPolicy"
    )