{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lambda/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","AWS Lambda"],"_cs_severities":["high"],"_cs_tags":["aws","iam","lambda","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat focuses on the abuse of AWS Lambda execution roles to perform sensitive IAM operations. Lambda functions, often running with over-permissioned roles, can be exploited by adversaries to escalate privileges and establish persistence within an AWS environment. An attacker gaining control of a Lambda function can leverage its execution role to make IAM API calls that would normally require elevated permissions. This includes creating new IAM users or roles, attaching policies to existing IAM entities, and modifying EC2 instance profiles. The scope of this threat includes any AWS environment utilizing Lambda functions with IAM permissions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Lambda function, either through code injection, vulnerable dependencies, or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Lambda function\u0026rsquo;s execution role, which has excessive IAM permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker executes IAM API calls, such as \u003ccode\u003eCreateUser\u003c/code\u003e, \u003ccode\u003eCreateRole\u003c/code\u003e, or \u003ccode\u003eCreateAccessKey\u003c/code\u003e, to create new IAM identities.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eAttachUserPolicy\u003c/code\u003e, \u003ccode\u003ePutUserPolicy\u003c/code\u003e, \u003ccode\u003eAttachRolePolicy\u003c/code\u003e, or \u003ccode\u003ePutRolePolicy\u003c/code\u003e to grant elevated permissions to the newly created or existing IAM identities.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies instance profiles using \u003ccode\u003eCreateInstanceProfile\u003c/code\u003e and \u003ccode\u003eAddRoleToInstanceProfile\u003c/code\u003e to prepare EC2 instances for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created or modified IAM identities to assume roles and access resources they were not previously authorized to access via \u003ccode\u003ests:AssumeRole\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation, gaining control over sensitive AWS resources and services.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating rogue IAM users, roles, or access keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to full compromise of the AWS environment. An attacker could create highly privileged IAM users and roles, granting them the ability to access and control all AWS resources. This can result in data breaches, service disruptions, and financial losses. The impact is magnified in environments where Lambda functions are heavily relied upon for critical business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS IAM Sensitive Operations via Lambda Execution Role\u0026rdquo; to your SIEM and tune for your environment to detect the described IAM API calls originating from Lambda execution roles.\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions granted to Lambda execution roles, following the principle of least privilege, to minimize the potential impact of a compromised function.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e to identify the Lambda function and associated deployment path responsible for the IAM API calls.\u003c/li\u003e\n\u003cli\u003eInvestigate \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e for targets such as \u003ccode\u003euserName\u003c/code\u003e, \u003ccode\u003egroupName\u003c/code\u003e, \u003ccode\u003eroleName\u003c/code\u003e, \u003ccode\u003epolicyArn\u003c/code\u003e, or \u003ccode\u003einstanceProfileName\u003c/code\u003e to understand the scope of the IAM operations.\u003c/li\u003e\n\u003cli\u003eRevoke or rotate the credentials of any compromised Lambda execution roles to prevent further unauthorized access.\u003c/li\u003e\n\u003cli\u003eRemediate any rogue IAM users, roles, or access keys created by the attacker to eliminate persistence mechanisms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T20:57:28Z","date_published":"2026-05-01T20:57:28Z","id":"/briefs/2024-01-09-aws-lambda-iam-privilege-escalation/","summary":"Detection of IAM API calls that create or empower IAM users and roles, attach policies, or configure instance profiles when the caller is an assumed role session associated with AWS Lambda, potentially indicating privilege escalation or persistence.","title":"AWS IAM Privilege Operations via Lambda Execution Role","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-lambda-iam-privilege-escalation/"}],"language":"en","title":"CraftedSignal Threat Feed — Lambda","version":"https://jsonfeed.org/version/1.1"}