Backdoor Lambda Function Through Resource-Based Policy
MITRE ATT&CK Tactics
Establishes persistence by backdooring a lambda function to allow its invocation from an external AWS account.
- Create a Lambda function.
- Modify the Lambda function resource-base policy to allow lambda:InvokeFunction from an external, fictitious AWS account.
Through IAM Access Analyzer, which triggers a finding when permissions are added to a Lambda function making it public or accessible from another account.