Backdoor Lambda Function Through Resource-Based Policy
Platform: AWS
MITRE ATT&CK Tactics
- Persistence
Description
Establishes persistence by backdooring a lambda function to allow its invocation from an external AWS account.
Warm-up:
- Create a Lambda function.
Detonation:
- Modify the Lambda function resource-base policy to allow lambda:InvokeFunction from an external, fictitious AWS account.
Instructions
Detection
-
Using CloudTrail's
AddPermission20150331
andAddPermission20150331v2
events. -
Through IAM Access Analyzer, which triggers a finding when permissions are added to a Lambda function making it public or accessible from another account.