AWS Lambda Layer Added to Existing Function

  1[metadata]
  2creation_date = "2024/04/30"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a Lambda layer is added to an existing AWS Lambda function. Lambda layers allow shared code,
 11dependencies, or runtime modifications to be injected into a function’s execution environment. Adversaries with the
 12ability to update function configurations may add a malicious layer to establish persistence, run unauthorized code, or
 13intercept data handled by the function. This activity should be reviewed to ensure the modification is expected and
 14authorized.
 15"""
 16false_positives = [
 17    """
 18    Lambda function owners or deployment pipelines may legitimately add or update layers as part of normal development
 19    and maintenance workflows. Confirm that the layer addition aligns with approved changes, expected CI/CD behavior, or
 20    routine dependency updates. Known automation roles or build systems can be excluded if they consistently perform
 21    authorized modifications.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS Lambda Layer Added to Existing Function"
 29note = """## Triage and analysis
 30
 31### Investigating AWS Lambda Layer Added to Existing Function
 32
 33Lambda layers introduce external code artifacts into a function’s runtime. Adding a layer to an existing Lambda function
 34modifies its execution environment and may allow an adversary to run arbitrary code, intercept data, or maintain
 35persistence without altering the function source itself. This detection highlights successful configuration updates using
 36`PublishLayerVersion*` or `UpdateFunctionConfiguration*`.
 37
 38### Possible investigation steps
 39
 40**Identify the actor**
 41- Review `aws.cloudtrail.user_identity.arn` and the `access_key_id`. Determine whether the actor normally administers Lambda or has recently exhibited unusual behavior.
 42
 43**Review what was modified**
 44- Inspect `aws.cloudtrail.request_parameters` to identify which layer ARN was added, the function name and region, whether multiple layers were applied at once or in rapid succession.
 45- Compare the added layer version against known and approved layer catalogs.
 46
 47**Validate the operational context**
 48- Check the time of the update (`@timestamp`) to see if it aligns with known release pipelines or deployment windows and Normal working hours for the responsible team.
 49- Determine whether a CI/CD pipeline or IaC tool was expected to update this function.
 50
 51**Assess where the change came from**
 52- Review `source.ip` and `user_agent.original` for signs of console access from unusual locations, access via previously unused automation tools, suspicious programmatic access consistent with compromised keys.
 53
 54**Correlate with additional activity**
 55- Look for preceding or subsequent events such as:
 56  - Creation of new Lambda layers (`PublishLayerVersion`).
 57  - IAM role modifications affecting the Lambda function.
 58  - Increased invocation volume or unusual invocation patterns after the layer addition.
 59- Search for other functions modified by the same actor or from the same IP.
 60
 61### False positive analysis
 62
 63- Confirm whether the change aligns with a planned deployment, application update, or dependency upgrade.
 64- Determine whether the user or automation role commonly modifies Lambda function configurations.
 65- Validate the legitimacy of the added layer by checking internal documentation or release notes.
 66
 67### Response and remediation
 68
 69- Remove or roll back the added layer if the modification appears unauthorized or suspicious.
 70- Review the layer contents, especially for newly published layers, to verify integrity and legitimacy.
 71- Investigate the IAM role or user responsible for the change and rotate compromised credentials if necessary.
 72- Tighten permissions by ensuring only approved roles can modify Lambda configurations or publish new layers.
 73- Implement monitoring for subsequent Lambda configuration changes, invocation anomalies caused by the injected layer, additional persistence techniques targeting serverless infrastructure.
 74
 75### Additional information
 76- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 77- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 78- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 79"""
 80references = [
 81    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence",
 82    "https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html",
 83    "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html",
 84]
 85risk_score = 21
 86rule_id = "7d091a76-0737-11ef-8469-f661ea17fbcc"
 87severity = "low"
 88tags = [
 89    "Domain: Cloud",
 90    "Data Source: AWS",
 91    "Data Source: Amazon Web Services",
 92    "Data Source: AWS Lambda",
 93    "Use Case: Threat Detection",
 94    "Tactic: Execution",
 95    "Resources: Investigation Guide",
 96]
 97timestamp_override = "event.ingested"
 98type = "query"
 99
100query = '''
101event.dataset: aws.cloudtrail
102    and event.provider: lambda.amazonaws.com
103    and event.outcome: success
104    and event.action: (PublishLayerVersion* or UpdateFunctionConfiguration*)
105'''
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1648"
112name = "Serverless Execution"
113reference = "https://attack.mitre.org/techniques/T1648/"
114
115
116[rule.threat.tactic]
117id = "TA0002"
118name = "Execution"
119reference = "https://attack.mitre.org/tactics/TA0002/"
120
121[rule.investigation_fields]
122field_names = [
123    "@timestamp",
124    "user.name",
125    "user_agent.original",
126    "source.ip",
127    "aws.cloudtrail.user_identity.arn",
128    "aws.cloudtrail.user_identity.type",
129    "aws.cloudtrail.user_identity.access_key_id",
130    "event.action",
131    "event.outcome",
132    "cloud.account.id",
133    "cloud.region",
134    "aws.cloudtrail.request_parameters",
135    "aws.cloudtrail.response_elements",
136]