2025-04-07 05:07:50 -04:00
title : AWS New Lambda Layer Attached
2021-09-23 08:40:26 -05:00
id : 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
2022-10-09 16:54:04 +02:00
status : test
2022-10-25 07:34:10 +02:00
description : |
2025-04-07 05:07:50 -04:00
Detects when a user attached a Lambda layer to an existing Lambda function.
A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role.
This would give an adversary access to resources that the function has access to.
2021-09-23 08:38:02 -05:00
references :
- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
2025-04-07 05:07:50 -04:00
- https://github.com/clearvector/lambda-spy
2022-10-09 16:54:04 +02:00
author : Austin Songer
2024-08-12 12:02:50 +02:00
date : 2021-09-23
2025-04-07 05:07:50 -04:00
modified : 2025-03-17
2022-10-09 16:54:04 +02:00
tags :
2024-08-12 12:02:50 +02:00
- attack.privilege-escalation
2021-09-23 08:38:02 -05:00
logsource :
2021-11-14 09:56:59 +01:00
product : aws
2021-09-23 08:38:02 -05:00
service : cloudtrail
detection :
selection :
eventSource : lambda.amazonaws.com
2022-09-01 15:22:26 +02:00
eventName|startswith : 'UpdateFunctionConfiguration'
2025-04-07 05:07:50 -04:00
requestParameters.layers|contains : '*'
2021-10-05 17:52:52 +01:00
condition : selection
2021-09-23 08:38:02 -05:00
falsepositives :
2022-10-09 16:54:04 +02:00
- Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
2025-04-07 05:07:50 -04:00
level : low
