By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Malicious lambda execution detection

0

we have many lambda execution events per hour, how to find out which is malicious one? I have below questions: (1), if we use cloud trail, which are the event name we should look at, we search lambda invocation call, but it is difficult to separate malicious and non-malicious, how to tell which one is malicious? or we should search by resource id, event type, AWS key? but we don't know who perform malicous lambda. (2), currently from cloudatch log stream, i only get Awsrequestid, memory utilization, billing information, there is no other fields to identify what actualy the lambda code execute, which command/function it runs on AWS. (3) do we have other source to identify malicous lambda execution? do we have lambda execution log? (4) if one lambda function change user IAM roles too frequently (7 times within one day), is it malicious? if it is malicous, waht are the event name we should check?

Topics
ServerlessComputeManagement & Governance
Tags
AWS LambdaAmazon CloudWatchAWS CloudTrail
Language
English
AWS-User-6667474
asked 2 years ago335 views
2 Answers
0

How is Lambda being invoked? And how do you currently know that some of your Lambda executions are malicious? If you have data that you (as a human) consume that shows you the malicious executions then I would automate the scanning of that data.

If you don't have that data then the next best thing is to start logging things within the code, sending that to CloudWatch Logs (which should happen automatically) and then using that data to determine whether an execution is malicious or not.

If you think you are having a security issue, please create a support ticket with our security team to investigate further.

To your specific questions:

  1. CloudTrail will tell how the function was invoked but to get further information you're going to need to log from within your code.
  2. You need to produce logging from within your code to provide details on what your function is doing.
  3. See my notes above.
  4. I don't understand this part - is the Lambda function changing IAM roles? Or is it just getting new credentials? If the first, then you should be looking at your deployment patterns to find out where the role change is being initiated from. If the second, rotating credentials is normal and is handled by the Lambda service.
profile pictureAWS
EXPERT
Brettski-AWS
answered 2 years ago
  • AWS-User-6667474
    2 years ago

    How is Lambda being invoked? we don't know how it is invoked, attacker may test and deploy lambda function or attacker may go to API GW invoke URL to launch the task, we know there is lambda attack, because another team capture the screen "display the message that credentials be captured through lambda execution" so how to detect the two scenario, (1) through lambda execution (2) through API gW, there may be other ways.

    App logging is disabled at the lambda function, we are now investigating the historical data, so app logging does not help for historical data

0

You have to define what "malicious" means in your case. For a concrete answer more information is required. Did you mean that someone from your organization creates a Lamabda function that performs unwanted actions? Do you want to protect your functions from being executed from everyone? Why did a Lambda function change IAM Roles? Based on what you want to prevent you have to use different approaches, like IAM best practices, Lambda Auhorizers, Service Control Policies, Web Application Firewall and so on.

I would recommend to get in contact with the support team. For this kind of questions basic support is not sufficient and you have to upgrade to at least Developer Support.

AWS
Marco
answered 2 years ago
  • AWS-User-6667474
    2 years ago

    malicious means Lambda command line injection, or attacker change Lambda runtime, how to detect in these two scenarios?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content