AWS Lambda Function Policy Updated to Allow Public Invocation

Identifies when an AWS Lambda function policy is updated to allow public invocation. This rule specifically looks for the AddPermission API call with the Principal set to * which allows any AWS account to invoke the Lambda function. Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/04/30"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
  6min_stack_version = "8.9.0"
  7updated_date = "2024/05/28"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies when an AWS Lambda function policy is updated to allow public invocation. This rule specifically looks for
 13the `AddPermission` API call with the `Principal` set to `*` which allows any AWS account to invoke the Lambda function.
 14Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary
 15code.
 16"""
 17false_positives = [
 18    "Lambda function owners may legitimately update the function policy to allow public invocation.",
 19]
 20from = "now-60m"
 21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 22interval = "10m"
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS Lambda Function Policy Updated to Allow Public Invocation"
 26note = """
 27## Triage and Analysis
 28
 29### Investigating AWS Lambda Function Policy Updated to Allow Public Invocation
 30
 31This rule detects when an AWS Lambda function policy is updated to allow public invocation. It specifically looks for the `AddPermission` API call with the `Principal` set to `*`, which allows any AWS account to invoke the Lambda function. Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.
 32
 33#### Possible Investigation Steps:
 34
 35- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
 36- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the Lambda function policy. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
 37- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
 38- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.
 39- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
 40
 41### False Positive Analysis:
 42
 43- **Legitimate Administrative Actions**: Confirm if the update to allow public invocation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
 44- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
 45- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.
 46
 47### Response and Remediation:
 48
 49- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the Lambda function policy to remove the public invocation permission and restore it to its previous state.
 50- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive functions or permissions.
 51- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning Lambda function management and the use of permissions.
 52- **Audit Lambda Functions and Policies**: Conduct a comprehensive audit of all Lambda functions and associated policies to ensure they adhere to the principle of least privilege.
 53- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
 54
 55### Additional Information:
 56
 57For further guidance on managing Lambda functions and securing AWS environments, refer to the [AWS Lambda documentation](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on Lambda persistence techniques:
 58- [AWS Lambda Persistence](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence)
 59- [AWS Lambda Backdoor Function](https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function/)
 60- [AWS API AddPermission](https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html)
 61
 62
 63"""
 64references = [
 65    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence",
 66    "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function/",
 67    "https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html",
 68]
 69risk_score = 47
 70rule_id = "151d8f72-0747-11ef-a0c2-f661ea17fbcc"
 71severity = "medium"
 72tags = [
 73    "Domain: Cloud",
 74    "Data Source: AWS",
 75    "Data Source: Amazon Web Services",
 76    "Data Source: AWS Lambda",
 77    "Use Case: Threat Detection",
 78    "Tactic: Persistence",
 79]
 80timestamp_override = "event.ingested"
 81type = "query"
 82
 83query = '''
 84event.dataset: aws.cloudtrail
 85    and event.provider: lambda.amazonaws.com
 86    and event.outcome: success
 87    and event.action: AddPermission*
 88    and aws.cloudtrail.request_parameters: (*lambda\:InvokeFunction* and *principal=\**)
 89'''
 90
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1546"
 96name = "Event Triggered Execution"
 97reference = "https://attack.mitre.org/techniques/T1546/"
 98
 99
100[rule.threat.tactic]
101id = "TA0003"
102name = "Persistence"
103reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and Analysis

Investigating AWS Lambda Function Policy Updated to Allow Public Invocation

This rule detects when an AWS Lambda function policy is updated to allow public invocation. It specifically looks for the AddPermission API call with the Principal set to *, which allows any AWS account to invoke the Lambda function. Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.

Possible Investigation Steps:

  • Identify the Actor: Review the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
  • Review the Request Details: Examine the aws.cloudtrail.request_parameters to understand the specific changes made to the Lambda function policy. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
  • Analyze the Source of the Request: Investigate the source.ip and source.geo fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
  • Contextualize with Timestamp: Use the @timestamp field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.
  • Correlate with Other Activities: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.

False Positive Analysis:

  • Legitimate Administrative Actions: Confirm if the update to allow public invocation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
  • Consistency Check: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
  • Verify through Outcomes: Check the aws.cloudtrail.response_elements and the event.outcome to confirm if the change was successful and intended according to policy.

Response and Remediation:

  • Immediate Review and Reversal if Necessary: If the change was unauthorized, update the Lambda function policy to remove the public invocation permission and restore it to its previous state.
  • Enhance Monitoring and Alerts: Adjust monitoring systems to alert on similar actions, especially those involving sensitive functions or permissions.
  • Educate and Train: Provide additional training to users with administrative rights on the importance of security best practices concerning Lambda function management and the use of permissions.
  • Audit Lambda Functions and Policies: Conduct a comprehensive audit of all Lambda functions and associated policies to ensure they adhere to the principle of least privilege.
  • Incident Response: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.

Additional Information:

For further guidance on managing Lambda functions and securing AWS environments, refer to the AWS Lambda documentation and AWS best practices for security. Additionally, consult the following resources for specific details on Lambda persistence techniques:

References

Related rules

to-top