New AWS Lambda Function URL Configuration Created
Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
Sigma rule (View on GitHub)
1title: New AWS Lambda Function URL Configuration Created
2id: ec541962-c05a-4420-b9ea-84de072d18f4
3status: experimental
4description: |
5 Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
6 This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
7references:
8 - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html
9 - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc
10 - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
11author: Ivan Saakov
12date: 2024-12-19
13tags:
14 - attack.initial-access
15 - attack.privilege-escalation
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection:
21 eventSource: lambda.amazonaws.com
22 eventName: 'CreateFunctionUrlConfig'
23 condition: selection
24falsepositives:
25 - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
26 - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
27level: medium
References
-
Creates a Lambda function URL with the specified configuration parameters. A function URL is a dedicated HTTP(S) endpoint that you can use to invoke your function.
Read More -
lambda More info about lambda in: iam:PassRole, lambda:CreateFunction, (lambda:InvokeFunction | lambda:InvokeFunctionUrl) Users with the iam:PassRole, lambda:CreateFunction, and lambda:InvokeFuncti...
Read More -
Wiz cloud security researcher, Scott Piper, suggests measures organizations can adopt to ensure secure defaults on AWS and improve their security posture.
Read More
Related rules
- AWS Key Pair Import Activity
- Suspicious Processes Spawned by Java.EXE
- Exploitation Indicators Of CVE-2023-20198
- AWS Suspicious SAML Activity
- Account Tampering - Suspicious Failed Logon Reasons