{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/lambda-layers/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Lambda","Lambda layers"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","lambda","supply-chain","misconfiguration","data-leakage"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat focuses on the malicious or accidental configuration change of an AWS Lambda layer's permission policy, detected when an entity modifies permissions to grant access to external AWS accounts, entire AWS Organizations, or even the public. The primary mechanism for this action is the \u003ccode\u003eAddLayerVersionPermission\u003c/code\u003e API call. This configuration allows other entities to utilize the code and dependencies packaged within the Lambda layer. Such external sharing, especially with the public, presents a significant risk of exposing proprietary code, sensitive data, or embedded secrets. Furthermore, it creates a potential supply-chain attack vector, where compromised or malicious layers could inject attacker-influenced code into functions that reference them, impacting their runtime integrity and leading to further compromise. While legitimate cross-account sharing can occur, public or broad external sharing warrants immediate and thorough investigation due to its severe security implications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003e[Omitted - The source describes a specific configuration change and its potential implications, not a multi-stage attack chain.]\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful external sharing of an AWS Lambda layer can result in the direct exposure and leakage of an organization's proprietary code and sensitive data, including API keys, database credentials, or other secrets embedded within the layer. If exploited as a supply-chain vector, an attacker could introduce malicious code into functions referencing the compromised layer, leading to various impacts such as unauthorized data exfiltration, remote code execution (RCE) within the function's execution environment, denial of service, or further lateral movement within the cloud environment. The broadness of access granted (e.g., to the public or an entire organization) directly correlates with the potential number of impacted entities and the scope of information exposure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u003ccode\u003eAddLayerVersionPermission\u003c/code\u003e calls in your AWS CloudTrail logs, particularly those granting public or external account access.\u003c/li\u003e\n\u003cli\u003eInvestigate all instances of \u003ccode\u003eAddLayerVersionPermission\u003c/code\u003e where the \u003ccode\u003eprincipal\u003c/code\u003e in \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e is \u003ccode\u003e*\u003c/code\u003e (public) or an external AWS account ID.\u003c/li\u003e\n\u003cli\u003eValidate the \u003ccode\u003elayerName\u003c/code\u003e and the granted \u003ccode\u003eprincipal\u003c/code\u003e against approved sharing practices for your organization, as noted in the \u003ccode\u003efalse_positives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eIf unauthorized sharing is detected, immediately remove the layer permission using the \u003ccode\u003eRemoveLayerVersionPermission\u003c/code\u003e API call and rotate any secrets that may have been exposed within the layer.\u003c/li\u003e\n\u003cli\u003eRestrict the \u003ccode\u003elambda:AddLayerVersionPermission\u003c/code\u003e IAM permission to a limited set of trusted roles and principals to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T16:16:42Z","date_published":"2026-07-03T16:16:42Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-layer-shared-externally/","summary":"This brief identifies the critical risk of an AWS Lambda layer's permission policy being modified, typically via the `AddLayerVersionPermission` API, to grant external AWS accounts, AWS Organizations, or the public access, potentially leading to the leakage of proprietary code or secrets and creating a supply-chain vector for attacker-influenced code execution in downstream functions.","title":"AWS Lambda Layer Shared Externally","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-layer-shared-externally/"}],"language":"en","title":"CraftedSignal Threat Feed - Lambda Layers","version":"https://jsonfeed.org/version/1.1"}