AWS Lambda Layer Added to Existing Function

  1[metadata]
  2creation_date = "2024/04/30"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/11"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a Lambda layer is added to an existing AWS Lambda function. Lambda layers allow shared code,
 11dependencies, or runtime modifications to be injected into a function’s execution environment. Adversaries with the
 12ability to update function configurations may add a malicious layer to establish persistence, run unauthorized code, or
 13intercept data handled by the function. This activity should be reviewed to ensure the modification is expected and
 14authorized.
 15"""
 16false_positives = [
 17    """
 18    Lambda function owners or deployment pipelines may legitimately add or update layers as part of normal development
 19    and maintenance workflows. Confirm that the layer addition aligns with approved changes, expected CI/CD behavior, or
 20    routine dependency updates. Known automation roles or build systems can be excluded if they consistently perform
 21    authorized modifications.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS Lambda Layer Added to Existing Function"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 33> While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 34
 35### Investigating AWS Lambda Layer Added to Existing Function
 36
 37Lambda layers introduce external code artifacts into a function’s runtime. Adding a layer to an existing Lambda function
 38modifies its execution environment and may allow an adversary to run arbitrary code, intercept data, or maintain
 39persistence without altering the function source itself. This detection highlights successful configuration updates using
 40`PublishLayerVersion*` or `UpdateFunctionConfiguration*`.
 41
 42### Possible investigation steps
 43
 44**Identify the actor**
 45- Review `aws.cloudtrail.user_identity.arn` and the `access_key_id`. Determine whether the actor normally administers Lambda or has recently exhibited unusual behavior.
 46
 47**Review what was modified**
 48- Inspect `aws.cloudtrail.request_parameters` to identify which layer ARN was added, the function name and region, whether multiple layers were applied at once or in rapid succession.
 49- Compare the added layer version against known and approved layer catalogs.
 50
 51**Validate the operational context**
 52- Check the time of the update (`@timestamp`) to see if it aligns with known release pipelines or deployment windows and Normal working hours for the responsible team.
 53- Determine whether a CI/CD pipeline or IaC tool was expected to update this function.
 54
 55**Assess where the change came from**
 56- Review `source.ip` and `user_agent.original` for signs of console access from unusual locations, access via previously unused automation tools, suspicious programmatic access consistent with compromised keys.
 57
 58**Correlate with additional activity**
 59- Look for preceding or subsequent events such as:
 60  - Creation of new Lambda layers (`PublishLayerVersion`).
 61  - IAM role modifications affecting the Lambda function.
 62  - Increased invocation volume or unusual invocation patterns after the layer addition.
 63- Search for other functions modified by the same actor or from the same IP.
 64
 65### False positive analysis
 66
 67- Confirm whether the change aligns with a planned deployment, application update, or dependency upgrade.
 68- Determine whether the user or automation role commonly modifies Lambda function configurations.
 69- Validate the legitimacy of the added layer by checking internal documentation or release notes.
 70
 71### Response and remediation
 72
 73- Remove or roll back the added layer if the modification appears unauthorized or suspicious.
 74- Review the layer contents, especially for newly published layers, to verify integrity and legitimacy.
 75- Investigate the IAM role or user responsible for the change and rotate compromised credentials if necessary.
 76- Tighten permissions by ensuring only approved roles can modify Lambda configurations or publish new layers.
 77- Implement monitoring for subsequent Lambda configuration changes, invocation anomalies caused by the injected layer, additional persistence techniques targeting serverless infrastructure.
 78
 79### Additional information
 80- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 81- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 82- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 83"""
 84references = [
 85    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence",
 86    "https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html",
 87    "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html",
 88]
 89risk_score = 21
 90rule_id = "7d091a76-0737-11ef-8469-f661ea17fbcc"
 91severity = "low"
 92tags = [
 93    "Domain: Cloud",
 94    "Data Source: AWS",
 95    "Data Source: Amazon Web Services",
 96    "Data Source: AWS Lambda",
 97    "Use Case: Threat Detection",
 98    "Tactic: Execution",
 99    "Resources: Investigation Guide",
100]
101timestamp_override = "event.ingested"
102type = "query"
103
104query = '''
105event.dataset: aws.cloudtrail
106    and event.provider: lambda.amazonaws.com
107    and event.outcome: success
108    and event.action: (PublishLayerVersion* or UpdateFunctionConfiguration*)
109'''
110
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1648"
116name = "Serverless Execution"
117reference = "https://attack.mitre.org/techniques/T1648/"
118
119
120[rule.threat.tactic]
121id = "TA0002"
122name = "Execution"
123reference = "https://attack.mitre.org/tactics/TA0002/"
124
125[rule.investigation_fields]
126field_names = [
127    "@timestamp",
128    "user.name",
129    "user_agent.original",
130    "source.ip",
131    "aws.cloudtrail.user_identity.arn",
132    "aws.cloudtrail.user_identity.type",
133    "aws.cloudtrail.user_identity.access_key_id",
134    "event.action",
135    "event.outcome",
136    "cloud.account.id",
137    "cloud.region",
138    "aws.cloudtrail.request_parameters",
139    "aws.cloudtrail.response_elements",
140]