-
Identifies when an AWS Lambda function policy is updated to allow public invocation. This rule detects use of the AddPermission API where the Principal is set to "*", enabling any AWS account to invoke the function. Adversaries may abuse this configuration to establish persistence, create a covert execution path, or operate a function as an unauthenticated backdoor. Public invocation is rarely required outside very specific workloads and should be considered high-risk when performed unexpectedly.
Read More -
Identifies when a Lambda layer is added to an existing AWS Lambda function. Lambda layers allow shared code, dependencies, or runtime modifications to be injected into a function’s execution environment. Adversaries with the ability to update function configurations may add a malicious layer to establish persistence, run unauthorized code, or intercept data handled by the function. This activity should be reviewed to ensure the modification is expected and authorized.
Read More -
AWS Discovery API Calls via CLI from a Single Resource
Dec 8, 2025 · Domain: Cloud Data Source: AWS Data Source: AWS EC2 Data Source: AWS IAM Data Source: AWS S3 Data Source: AWS Cloudtrail Data Source: AWS RDS Data Source: AWS Lambda Data Source: AWS STS Data Source: AWS KMS Data Source: AWS SES Data Source: AWS Cloudfront Data Source: AWS DynamoDB Data Source: AWS Elastic Load Balancing Use Case: Threat Detection Tactic: Discovery Resources: Investigation Guide ·Detects when a single AWS resource is running multiple read-only, discovery API calls in a 10-second window. This behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.
Read More