This rule detects changes to an AWS Lambda function resource policy where AddPermission is used to grant lambda:InvokeFunction permissions to a principal in a different AWS account, enabling cross-account invocation. This can create a covert backdoor for execution or data exfiltration without altering the function code. The rule intentionally excludes public grants (principal = "*") and grants to AWS service principals, which are common for legitimate event triggers. It analyzes AWS CloudTrail logs (aws.cloudtrail) for events from the Lambda service (lambda.amazonaws.com) with an AddPermission- or related action, ensuring the request parameters include lambda:InvokeFunction while filtering out wildcard principals and service principals by checking for non-.amazonaws.com patterns. The detection is designed to flag non-public, non-service cross-account grants that could indicate adversary activity. MITRE ATT&CK mappings include Event Triggered Execution (T1546) under Persistence and Modify Cloud Compute Infrastructure (T1578, with subtechnique T1578.005) under Defense Evasion, reflecting the potential impact and evasion aspects. The rule provides triage guidance, remediation steps, and correlation opportunities, such as validating the external account against approved cross-account access and reviewing related policy changes or function configurations. False positives may arise in legitimate multi-account setups or partner integrations; validation should exclude known trusted accounts on a case-by-case basis. Remediation involves removing unauthorized permissions (RemovePermission), auditing function access, and tightening AddPermission controls.