AWS Lambda Function High-Frequency Invocation by a Single Principal
Identifies a single principal directly invoking AWS Lambda functions at a high volume within a one-hour window. Adversaries may drive excessive invocations to abuse functions for resource hijacking or cryptomining, to inflate costs in a denial-of-wallet attack, or to enumerate function behavior. This is a volumetric heuristic: the threshold is environment-dependent and high-throughput applications can exceed it, so tune it to the deployment. This rule relies on AWS Lambda data event logging, which is not enabled by default.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/18"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2026/06/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a single principal directly invoking AWS Lambda functions at a high volume within a one-hour window.
11Adversaries may drive excessive invocations to abuse functions for resource hijacking or cryptomining, to inflate costs
12in a denial-of-wallet attack, or to enumerate function behavior. This is a volumetric heuristic: the threshold is
13environment-dependent and high-throughput applications can exceed it, so tune it to the deployment. This rule relies on
14AWS Lambda data event logging, which is not enabled by default.
15"""
16false_positives = [
17 """
18 Legitimate high-throughput applications, batch jobs, load tests, and automation can invoke functions at high volume
19 and will exceed any fixed threshold. Validate the principal in `aws.cloudtrail.user_identity.arn` and the workload
20 context, and tune the threshold to the environment.
21 """,
22]
23from = "now-61m"
24interval = "60m"
25language = "esql"
26license = "Elastic License v2"
27name = "AWS Lambda Function High-Frequency Invocation by a Single Principal"
28note = """## Triage and analysis
29
30### Investigating AWS Lambda Function High-Frequency Invocation by a Single Principal
31
32A principal issuing a high volume of direct Lambda invocations in a short window can indicate function abuse for resource hijacking or cryptomining, a denial-of-wallet cost attack, or behavioral enumeration. Because Lambda data events record only the invocation metadata (caller, function, source) and not the function's internal behavior, this rule is purely volumetric and should be treated as corroborating signal.
33
34### Possible investigation steps
35
36- Identify the principal in `aws.cloudtrail.user_identity.arn` and determine whether the volume exceeds its historical baseline.
37- Determine whether the principal is a known high-throughput application or automation identity, or an unexpected user.
38- Review `source.ip` / `user_agent.original` and recent credential activity for signs of compromise.
39- Correlate with billing/concurrency metrics and with other Lambda or IAM activity by the same principal.
40
41### False positive analysis
42
43- High-throughput apps, batch processing, and load tests routinely exceed fixed thresholds. Tune the threshold and exclude known high-volume identities after validation.
44
45### Response and remediation
46
47- If abuse is confirmed, throttle or disable the affected functions (reserved concurrency), rotate or restrict the principal's credentials, and review function code and execution-role permissions.
48- Apply per-function reserved concurrency and account-level guardrails to bound cost and blast radius.
49
50### Additional information
51
52- [Logging Lambda data events with CloudTrail](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html)
53- [Lambda function scaling and concurrency](https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html)
54"""
55references = [
56 "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html",
57 "https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html",
58]
59risk_score = 47
60rule_id = "55260656-76d6-427b-bd02-7acdde131b64"
61setup = """## Setup
62
63This rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration. Lambda
64invocation (`Invoke`) is a data-plane event and is NOT logged by default; enable data event logging for Lambda functions
65in the trail (optionally scoped to sensitive functions to manage volume). Tune the invocation-count threshold in the
66query to the environment before enabling.
67"""
68severity = "medium"
69tags = [
70 "Domain: Cloud",
71 "Data Source: AWS",
72 "Data Source: Amazon Web Services",
73 "Data Source: AWS CloudTrail",
74 "Data Source: AWS Lambda",
75 "Use Case: Threat Detection",
76 "Tactic: Impact",
77 "Resources: Investigation Guide",
78]
79timestamp_override = "event.ingested"
80type = "esql"
81
82query = '''
83from logs-aws.cloudtrail-*
84
85// Lambda invocation data events (data-plane; requires data event logging enabled)
86| where
87 event.provider == "lambda.amazonaws.com"
88 and event.action like "Invoke*"
89 and event.outcome == "success"
90 and aws.cloudtrail.user_identity.arn IS NOT NULL
91
92| stats
93 Esql.invocation_count = count(*),
94 Esql.source_ips = values(source.ip)
95 by
96 aws.cloudtrail.user_identity.arn
97
98// Threshold is environment-dependent — tune to the deployment
99| where Esql.invocation_count >= 1000
100
101| keep
102 aws.cloudtrail.user_identity.arn,
103 Esql.invocation_count,
104 Esql.source_ips
105
106| sort Esql.invocation_count desc
107'''
108
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1496"
114name = "Resource Hijacking"
115reference = "https://attack.mitre.org/techniques/T1496/"
116
117
118[rule.threat.tactic]
119id = "TA0040"
120name = "Impact"
121reference = "https://attack.mitre.org/tactics/TA0040/"
122
123[rule.investigation_fields]
124field_names = ["aws.cloudtrail.user_identity.arn", "cloud.account.id", "Esql.invocation_count", "Esql.source_ips"]
Triage and analysis
Investigating AWS Lambda Function High-Frequency Invocation by a Single Principal
A principal issuing a high volume of direct Lambda invocations in a short window can indicate function abuse for resource hijacking or cryptomining, a denial-of-wallet cost attack, or behavioral enumeration. Because Lambda data events record only the invocation metadata (caller, function, source) and not the function's internal behavior, this rule is purely volumetric and should be treated as corroborating signal.
Possible investigation steps
- Identify the principal in
aws.cloudtrail.user_identity.arnand determine whether the volume exceeds its historical baseline. - Determine whether the principal is a known high-throughput application or automation identity, or an unexpected user.
- Review
source.ip/user_agent.originaland recent credential activity for signs of compromise. - Correlate with billing/concurrency metrics and with other Lambda or IAM activity by the same principal.
False positive analysis
- High-throughput apps, batch processing, and load tests routinely exceed fixed thresholds. Tune the threshold and exclude known high-volume identities after validation.
Response and remediation
- If abuse is confirmed, throttle or disable the affected functions (reserved concurrency), rotate or restrict the principal's credentials, and review function code and execution-role permissions.
- Apply per-function reserved concurrency and account-level guardrails to bound cost and blast radius.
Additional information
References
Related rules
- AWS Lambda Function Deletion
- AWS Lambda Event Source Mapping Creation
- AWS Bedrock Knowledge Base or RAG Data Source Tampering
- AWS Bedrock Provisioned Model Throughput Tampering
- AWS Backup Recovery Point Deleted