From aec72e101dd32c2f21e3493640435ab3ca48a5e4 Mon Sep 17 00:00:00 2001
From: Ivan S <saakovv@gmail.com>
Date: Thu, 19 Dec 2024 21:30:58 +0200
Subject: [PATCH] Merge PR #5016 from @saakovv - Add `New AWS Lambda Function
 URL Configuration Created`

new: New AWS Lambda Function URL Configuration Created

---------

Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
---
 .../cloudtrail/aws_lambda_function_url.yml    | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml

diff --git a/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml
new file mode 100644
index 000000000..5d611b64a
--- /dev/null
+++ b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml
@@ -0,0 +1,27 @@
+title: New AWS Lambda Function URL Configuration Created
+id: ec541962-c05a-4420-b9ea-84de072d18f4
+status: experimental
+description: |
+    Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
+    This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
+references:
+    - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html
+    - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc
+    - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
+author: Ivan Saakov
+date: 2024-12-19
+tags:
+    - attack.initial-access
+    - attack.privilege-escalation
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: lambda.amazonaws.com
+        eventName: 'CreateFunctionUrlConfig'
+    condition: selection
+falsepositives:
+    - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium