some organizations may legitimately expose lambda functions for cross-account or anonymous invocation (e.g., custom public apis, integrations, or legacy architectures). validate whether the function owner explicitly intended to make the function publicly invokable. routine ci/cd deployments or iac templates may also temporarily set permissive policies; confirm this is expected behavior before treating it as suspicious.

t1546
aws
elastic

Techniques

T1546

Sample rules

AWS Lambda Function Policy Updated to Allow Public Invocation

source: elastic
technicques:
- T1546

Description

Identifies when an AWS Lambda function policy is updated to allow public invocation. This rule detects use of the AddPermission API where the Principal is set to “*”, enabling any AWS account to invoke the function. Adversaries may abuse this configuration to establish persistence, create a covert execution path, or operate a function as an unauthenticated backdoor. Public invocation is rarely required outside very specific workloads and should be considered high-risk when performed unexpectedly.

Detection logic

info where event.dataset == "aws.cloudtrail" 
    and event.provider == "lambda.amazonaws.com" 
    and event.outcome == "success" 
    and event.action : "AddPermission*" 
    and stringContains(aws.cloudtrail.request_parameters, "lambda:InvokeFunction") 
    and stringContains(aws.cloudtrail.request_parameters, "principal=\\*")