Lambda - Security
Last updated
Last updated
Following are some interesting security senarios :-
You have got access to Keys that has "GetFunction" permission, then its possible to view Environment variables of the lambda and even download the lambda function.
Permission needed : GetFunction
Command :
The output will contain all the environment variables that were configured with the lambda.
We have sucessfully compromised a Lambda which runs once every 10 mins and wants to leak all the events passed to the lambda.
There are 2 ways to poision a lambda :-
In case lambda function is using any import library, we can poision the respective library present in /var/runtime since these are refered by lambda whenever function is executed.
In case there is no import in the main lambda code, then poision bootstrap.py file at /var/runtime/bootstrap.py since this file is refered every single time lambda is executed by the init processor.
In order to leak out the even best way would be add couple of lines
Above code will query the Runtime and get the current even and pass on the data to the attacker server hereby exfilterating the event.
We have compromised a Lambda and have full access to the function and now want to backdoor the function. In order to backdoor it, we can add a malicious layer to the lambda function.
In order to create a layer, we first need to create a malicous file that can be later refered by the legit lambda code. For instance if the language is python then we need to create a zip with the our malicous file. The zip directory info should be python/lib/python3.9/site-packages/.
In the above example we have created a malicious zipfile which behaves as boto3. We now create a new lambda layer using the above zip file.
Once layer is ready, we will attach the layer to the target function
Now, anytime the function is executed, our layer code will also be loaded and executed prior to actual function execution hereby backdooring the function.
