AWS IAM Privilege Operations via Lambda Execution Role

This threat focuses on the abuse of AWS Lambda execution roles to perform sensitive IAM operations. Lambda functions, often running with over-permissioned roles, can be exploited by adversaries to escalate privileges and establish persistence within an AWS environment. An attacker gaining control of a Lambda function can leverage its execution role to make IAM API calls that would normally require elevated permissions. This includes creating new IAM users or roles, attaching policies to existing IAM entities, and modifying EC2 instance profiles. The scope of this threat includes any AWS environment utilizing Lambda functions with IAM permissions.

Attack Chain

1. An attacker gains unauthorized access to a Lambda function, either through code injection, vulnerable dependencies, or misconfiguration.
2. The attacker leverages the Lambda function’s execution role, which has excessive IAM permissions.
3. The attacker executes IAM API calls, such as CreateUser, CreateRole, or CreateAccessKey, to create new IAM identities.
4. The attacker uses AttachUserPolicy, PutUserPolicy, AttachRolePolicy, or PutRolePolicy to grant elevated permissions to the newly created or existing IAM identities.
5. The attacker modifies instance profiles using CreateInstanceProfile and AddRoleToInstanceProfile to prepare EC2 instances for lateral movement.
6. The attacker uses the newly created or modified IAM identities to assume roles and access resources they were not previously authorized to access via sts:AssumeRole.
7. The attacker achieves privilege escalation, gaining control over sensitive AWS resources and services.
8. The attacker establishes persistence by creating rogue IAM users, roles, or access keys.

Impact

A successful attack can lead to full compromise of the AWS environment. An attacker could create highly privileged IAM users and roles, granting them the ability to access and control all AWS resources. This can result in data breaches, service disruptions, and financial losses. The impact is magnified in environments where Lambda functions are heavily relied upon for critical business operations.

Recommendation

• Deploy the Sigma rule “AWS IAM Sensitive Operations via Lambda Execution Role” to your SIEM and tune for your environment to detect the described IAM API calls originating from Lambda execution roles.
• Review and restrict the permissions granted to Lambda execution roles, following the principle of least privilege, to minimize the potential impact of a compromised function.
• Monitor aws.cloudtrail.user_identity.arn to identify the Lambda function and associated deployment path responsible for the IAM API calls.
• Investigate aws.cloudtrail.request_parameters for targets such as userName, groupName, roleName, policyArn, or instanceProfileName to understand the scope of the IAM operations.
• Revoke or rotate the credentials of any compromised Lambda execution roles to prevent further unauthorized access.
• Remediate any rogue IAM users, roles, or access keys created by the attacker to eliminate persistence mechanisms.