AWS Lambda Function Invoked Cross-Account
Adversaries leverage cross-account access to invoke AWS Lambda functions from a different account than the function owner, enabling code execution or data retrieval, which requires AWS Lambda data event logging to detect.
This brief details a detection for cross-account AWS Lambda function invocations. Adversaries may leverage previously granted invoke permissions on a Lambda function, or operate from a separate attacker-controlled AWS account, to execute functions in a victim's environment. This activity, often a data-plane realization of an earlier cross-account resource-policy grant, allows an attacker to execute arbitrary code or retrieve sensitive data controlled by the function. The detection relies on capturing AWS Lambda data events through CloudTrail, which is not enabled by default, and identifying discrepancies between the invoking principal's account ARN (aws.cloudtrail.user_identity.arn) and the invoked function's owning account ARN (aws.cloudtrail.request_parameters). This behavior, while potentially legitimate in multi-account architectures, warrants investigation when observed.
Attack Chain
- An adversary gains control over an AWS account or secures
lambda:InvokeFunctionpermissions for a target Lambda function in a different AWS account. - The adversary initiates an
InvokeAPI call to the target Lambda function from their external or controlled AWS account. - The AWS Lambda service processes the cross-account invocation request, authenticating the invoking principal.
- The invoked Lambda function executes, performing its defined operations within the victim's AWS environment.
- AWS CloudTrail logs the successful
Invokedata event, including the ARN of the invoking principal and the ARN of the function. - The adversary potentially receives the function's output, allowing for data retrieval, or benefits from actions performed by the function, such as resource manipulation or further compromise.
Impact
If an unauthorized cross-account Lambda invocation succeeds, adversaries can execute arbitrary code within the context of the Lambda function's permissions, potentially leading to privilege escalation, data exfiltration from resources accessible by the function, or unauthorized modification of the victim's AWS environment. This can result in significant data breaches, service disruption, or complete compromise of the affected AWS account. While this activity can be legitimate in multi-account environments, unauthorized instances represent a critical security breach impacting data confidentiality, integrity, and availability.
Recommendation
- Enable AWS Lambda data event logging in CloudTrail, as described in the
setupsection of the source rule, to ensure the necessary telemetry is captured for this detection. - Implement the detection logic outlined in the provided Elastic rule within your SIEM to identify cross-account Lambda function invocations.
- When an alert triggers, review the
aws.cloudtrail.user_identity.arnandaws.cloudtrail.request_parametersfields to determine the caller and function accounts, validating against known, trusted cross-account access. - Investigate recent activity from the
Esql.caller_accountandEsql.source_ipsidentified by the detection for other suspicious cross-account actions. - If an unauthorized cross-account invocation is confirmed, promptly remove the
lambda:InvokeFunctionpermissions usingRemovePermissionand review what the function accessed or returned, as suggested in theresponse and remediationsection of the source.