This rule detects successful calls to AWS Lambda's AddLayerVersionPermission that grant usage of a Lambda layer version to another AWS account, an AWS Organization, or the public. Sharing a layer can leak code or secrets embedded in the layer and may enable downstream functions to load attacker-controlled code. The detection targets CloudTrail events indicating a permission change to a Lambda layer (AddLayerVersionPermission) and prioritizes public grants (principal = "*") as the highest risk. Cross-account sharing should be reviewed against approved practices. The rule does not attempt to block activity but flags it for immediate triage and potential containment. The detection is engineered to surface potentially dangerous layer-sharing activity early, correlating with related CloudTrail fields to support incident response and attribution. It maps to threat scenarios where external or public layer access could become a supply-chain risk or enable unauthorized execution in serverless environments. The rule provides guidance on validating the legitimacy of the grant, identifying the actor, and understanding which functions reference the shared layer to assess impact and exposure. MITRE ATT&CK mappings include: - T1648: Serverless Execution (Execution) for usage of shared layers in a function's runtime - T1578: Modify Cloud Compute Infrastructure (Defense Evasion), with subtechnique T1578.005: Modify Cloud Compute Configurations Investigation steps emphasize inspecting request_parameters for layerName, version, action, and granted principal, as well as user_identity attributes (ARN, type) and network context (source IP, user_agent). Investigators should determine if the layer contains sensitive code or secrets, identify consuming functions, and correlate with prior related activity (e.g., PublishLayerVersion, function changes). Remediation emphasizes removing unauthorized access (RemoveLayerVersionPermission), rotating exposed secrets, and restricting future layer permission changes to trusted principals. False positives can occur when legitimate internal sharing exists within an organization or with partners; exclude known distribution accounts or layers after validation.