- Le plus récent
- Le plus de votes
- La plupart des commentaires
How is Lambda being invoked? And how do you currently know that some of your Lambda executions are malicious? If you have data that you (as a human) consume that shows you the malicious executions then I would automate the scanning of that data.
If you don't have that data then the next best thing is to start logging things within the code, sending that to CloudWatch Logs (which should happen automatically) and then using that data to determine whether an execution is malicious or not.
If you think you are having a security issue, please create a support ticket with our security team to investigate further.
To your specific questions:
- CloudTrail will tell how the function was invoked but to get further information you're going to need to log from within your code.
- You need to produce logging from within your code to provide details on what your function is doing.
- See my notes above.
- I don't understand this part - is the Lambda function changing IAM roles? Or is it just getting new credentials? If the first, then you should be looking at your deployment patterns to find out where the role change is being initiated from. If the second, rotating credentials is normal and is handled by the Lambda service.
You have to define what "malicious" means in your case. For a concrete answer more information is required. Did you mean that someone from your organization creates a Lamabda function that performs unwanted actions? Do you want to protect your functions from being executed from everyone? Why did a Lambda function change IAM Roles? Based on what you want to prevent you have to use different approaches, like IAM best practices, Lambda Auhorizers, Service Control Policies, Web Application Firewall and so on.
I would recommend to get in contact with the support team. For this kind of questions basic support is not sufficient and you have to upgrade to at least Developer Support.
malicious means Lambda command line injection, or attacker change Lambda runtime, how to detect in these two scenarios?
Contenus pertinents
- demandé il y a un an
- demandé il y a 2 mois
- demandé il y a 6 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
How is Lambda being invoked? we don't know how it is invoked, attacker may test and deploy lambda function or attacker may go to API GW invoke URL to launch the task, we know there is lambda attack, because another team capture the screen "display the message that credentials be captured through lambda execution" so how to detect the two scenario, (1) through lambda execution (2) through API gW, there may be other ways.
App logging is disabled at the lambda function, we are now investigating the historical data, so app logging does not help for historical data