<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Lambda Layers - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/lambda-layers/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 16:16:42 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/lambda-layers/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Lambda Layer Shared Externally</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-layer-shared-externally/</link><pubDate>Fri, 03 Jul 2026 16:16:42 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-lambda-layer-shared-externally/</guid><description>This brief identifies the critical risk of an AWS Lambda layer's permission policy being modified, typically via the `AddLayerVersionPermission` API, to grant external AWS accounts, AWS Organizations, or the public access, potentially leading to the leakage of proprietary code or secrets and creating a supply-chain vector for attacker-influenced code execution in downstream functions.</description><content:encoded><![CDATA[<p>This threat focuses on the malicious or accidental configuration change of an AWS Lambda layer's permission policy, detected when an entity modifies permissions to grant access to external AWS accounts, entire AWS Organizations, or even the public. The primary mechanism for this action is the <code>AddLayerVersionPermission</code> API call. This configuration allows other entities to utilize the code and dependencies packaged within the Lambda layer. Such external sharing, especially with the public, presents a significant risk of exposing proprietary code, sensitive data, or embedded secrets. Furthermore, it creates a potential supply-chain attack vector, where compromised or malicious layers could inject attacker-influenced code into functions that reference them, impacting their runtime integrity and leading to further compromise. While legitimate cross-account sharing can occur, public or broad external sharing warrants immediate and thorough investigation due to its severe security implications.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>[Omitted - The source describes a specific configuration change and its potential implications, not a multi-stage attack chain.]</p>
<h2 id="impact">Impact</h2>
<p>Successful external sharing of an AWS Lambda layer can result in the direct exposure and leakage of an organization's proprietary code and sensitive data, including API keys, database credentials, or other secrets embedded within the layer. If exploited as a supply-chain vector, an attacker could introduce malicious code into functions referencing the compromised layer, leading to various impacts such as unauthorized data exfiltration, remote code execution (RCE) within the function's execution environment, denial of service, or further lateral movement within the cloud environment. The broadness of access granted (e.g., to the public or an entire organization) directly correlates with the potential number of impacted entities and the scope of information exposure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect <code>AddLayerVersionPermission</code> calls in your AWS CloudTrail logs, particularly those granting public or external account access.</li>
<li>Investigate all instances of <code>AddLayerVersionPermission</code> where the <code>principal</code> in <code>aws.cloudtrail.request_parameters</code> is <code>*</code> (public) or an external AWS account ID.</li>
<li>Validate the <code>layerName</code> and the granted <code>principal</code> against approved sharing practices for your organization, as noted in the <code>false_positives</code> section.</li>
<li>If unauthorized sharing is detected, immediately remove the layer permission using the <code>RemoveLayerVersionPermission</code> API call and rotate any secrets that may have been exposed within the layer.</li>
<li>Restrict the <code>lambda:AddLayerVersionPermission</code> IAM permission to a limited set of trusted roles and principals to reduce the attack surface.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>lambda</category><category>supply-chain</category><category>misconfiguration</category><category>data-leakage</category></item></channel></rss>