AWS Lambda Event Source Mapping Creation

  1[metadata]
  2creation_date = "2026/06/18"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of an AWS Lambda event source mapping, which connects an event source such as an Amazon SQS
 11queue, an Amazon Kinesis or DynamoDB stream, an Amazon MSK or self-managed Apache Kafka topic, or an Amazon MQ broker to
 12a Lambda function so the function is automatically invoked when new records arrive. Adversaries with
 13"lambda:CreateEventSourceMapping" permissions can abuse this to establish stealthy, event-driven persistence and
 14execution, or to continuously siphon records from a stream or queue into attacker-controlled function code. Because the
 15function then runs on its own whenever the source produces events, this grants durable execution without any further
 16interactive activity by the adversary.
 17"""
 18false_positives = [
 19    """
 20    Application teams and infrastructure-as-code pipelines routinely create event source mappings to wire data
 21    pipelines, queue consumers, and stream processors to Lambda functions. Verify whether the principal in
 22    `aws.cloudtrail.user_identity.arn`, the function, and the event source are expected for the workload. Known
 23    deployment roles and automation can be excluded after validation.
 24    """,
 25]
 26from = "now-6m"
 27index = ["logs-aws.cloudtrail-*"]
 28interval = "5m"
 29language = "kuery"
 30license = "Elastic License v2"
 31name = "AWS Lambda Event Source Mapping Creation"
 32note = """## Triage and analysis
 33
 34### Investigating AWS Lambda Event Source Mapping Creation
 35
 36AWS Lambda event source mappings poll an event source (Amazon SQS, Kinesis or DynamoDB streams, Amazon MSK or self-managed Kafka, or Amazon MQ) and invoke a target function as records arrive. Creating a mapping is a low-frequency, high-impact configuration change: it can establish event-driven persistence and execution, or quietly relay sensitive records from a stream or queue into attacker-controlled code.
 37
 38This rule detects successful `CreateEventSourceMapping` calls. Investigate whether the principal, the target function, and the event source are expected for the environment.
 39
 40#### Possible investigation steps
 41
 42- Identify the actor in `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`, and review `source.ip` and `user_agent.original` to determine whether the call came from the console, CLI, SDK, or automation.
 43- Inspect `aws.cloudtrail.request_parameters` for the `functionName`/`functionArn` and the `eventSourceArn` to identify the target function and the source queue, stream, topic, or broker.
 44- Determine whether the target function and the event source belong to the same application and account, and whether the function code, role, and recent changes are trusted (correlate with `CreateFunction`, `UpdateFunctionCode`, and `AddPermission`).
 45- Review whether the event source contains sensitive data (for example a DynamoDB stream or SQS queue carrying business records) that the mapping could be used to exfiltrate.
 46- Pivot on the same principal and access key for other recent Lambda, IAM, or data-plane activity.
 47
 48### False positive analysis
 49
 50- Event source mappings are a normal building block of serverless data pipelines and queue/stream consumers. Mappings created by approved deployment roles, CI/CD pipelines, or application teams are expected. Tune on `aws.cloudtrail.user_identity.arn`, `user_agent.original`, or known automation roles after validation.
 51
 52### Response and remediation
 53
 54- If the mapping is unauthorized, disable or delete it (`DeleteEventSourceMapping`) and review the target function's code, configuration, and execution role.
 55- Determine whether records were processed by the function while the mapping was active and assess potential data exposure.
 56- Rotate or restrict credentials for the principal that created the mapping if compromise is suspected, and constrain `lambda:CreateEventSourceMapping` to a small set of trusted roles.
 57
 58### Additional information
 59
 60- [AWS Lambda event source mappings](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html)
 61- [CreateEventSourceMapping API](https://docs.aws.amazon.com/lambda/latest/api/API_CreateEventSourceMapping.html)
 62"""
 63references = [
 64    "https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html",
 65    "https://docs.aws.amazon.com/lambda/latest/api/API_CreateEventSourceMapping.html",
 66]
 67risk_score = 21
 68rule_id = "5619545b-9738-408c-bdb5-a2807e19133e"
 69severity = "low"
 70tags = [
 71    "Domain: Cloud",
 72    "Data Source: AWS",
 73    "Data Source: Amazon Web Services",
 74    "Data Source: AWS CloudTrail",
 75    "Data Source: AWS Lambda",
 76    "Use Case: Threat Detection",
 77    "Tactic: Persistence",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "query"
 82
 83query = '''
 84data_stream.dataset: "aws.cloudtrail"
 85    and event.provider: "lambda.amazonaws.com"
 86    and event.action: CreateEventSourceMapping*
 87    and event.outcome: "success"
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93
 94[[rule.threat.technique]]
 95id = "T1546"
 96name = "Event Triggered Execution"
 97reference = "https://attack.mitre.org/techniques/T1546/"
 98
 99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106
107[[rule.threat.technique]]
108id = "T1648"
109name = "Serverless Execution"
110reference = "https://attack.mitre.org/techniques/T1648/"
111
112[rule.threat.tactic]
113id = "TA0002"
114name = "Execution"
115reference = "https://attack.mitre.org/tactics/TA0002/"
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119
120[[rule.threat.technique]]
121id = "T1578"
122name = "Modify Cloud Compute Infrastructure"
123reference = "https://attack.mitre.org/techniques/T1578/"
124
125[[rule.threat.technique.subtechnique]]
126id = "T1578.005"
127name = "Modify Cloud Compute Configurations"
128reference = "https://attack.mitre.org/techniques/T1578/005/"
129
130[rule.threat.tactic]
131id = "TA0005"
132name = "Defense Evasion"
133reference = "https://attack.mitre.org/tactics/TA0005/"
134[rule.investigation_fields]
135field_names = [
136    "@timestamp",
137    "user.name",
138    "user_agent.original",
139    "source.ip",
140    "aws.cloudtrail.user_identity.arn",
141    "aws.cloudtrail.user_identity.type",
142    "aws.cloudtrail.user_identity.access_key_id",
143    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
144    "aws.cloudtrail.request_parameters",
145    "aws.cloudtrail.response_elements",
146    "event.action",
147    "event.outcome",
148    "cloud.account.id",
149    "cloud.region",
150]