
Summary
This detection rule is designed to identify unauthorized changes to AWS Lambda function policies that allow public invocation. Specifically, it targets the execution of the `AddPermission` API call, which is used to grant permissions to invoke a Lambda function. If the `Principal` parameter is set to `*`, this indicates that any AWS account can invoke the function, presenting a significant security risk. Adversaries may exploit this permission to establish backdoors, enabling the execution of arbitrary code within the Lambda function. The rule captures relevant CloudTrail logs within the past hour and analyzes the context surrounding such modifications. Essential investigation steps include identifying the user who made the change, reviewing request details, analyzing the geographic source of the request, and correlating with other suspicious activities. The rule emphasizes the importance of understanding the context of the changes to differentiate between legitimate updates and potential security breaches. The false positive section discusses legitimate scenarios where Lambda owners might update policies for valid reasons. In case of unauthorized changes, the rule prescribes immediate reversal actions, enhanced monitoring, and comprehensive audits of Lambda functions to ensure compliance with security best practices.
Categories
- AWS
- Cloud
- Cloud
- Containers
- Other
Data Sources
- Cloud Service
- Application Log
- Network Traffic
ATT&CK Techniques
- T1546
Created: 2024-04-30