[New Rule] AWS Lambda Execution Role Credentials Used Outside Lambda#6292
[New Rule] AWS Lambda Execution Role Credentials Used Outside Lambda#6292bryans3c wants to merge 11 commits into
Conversation
bryans3c
requested review from
Aegrah,
Mikaayenson,
Samirbous,
eric-forte-elastic,
imays11,
terrancedejesus and
w0rk3r
bryans3c
added
Integration: AWS
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
There was a problem hiding this comment.
Pull request overview
Adds a new AWS CloudTrail ES|QL detection rule intended to identify potential theft and replay of AWS Lambda execution-role temporary credentials by correlating usage of the same assumed-role access key both inside the Lambda runtime and from an external/non-Lambda context.
Changes:
- Introduces a new ES|QL aggregation rule that groups CloudTrail activity by temporary access key id and flags keys used both with Lambda runtime markers and without them in the same window.
- Adds an investigation guide with triage, false positive, and remediation guidance specific to Lambda credential replay scenarios.
terrancedejesus
left a comment
terrancedejesus
left a comment
There was a problem hiding this comment.
Couple of considerations. Logic and threat signal! Nice rule!
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
|
|
||
| | eval is_lambda_call = case( | ||
| user_agent.original LIKE "*exec-env/AWS_Lambda*" | ||
| or aws.cloudtrail.user_identity.invoked_by == "lambda.amazonaws.com", |
There was a problem hiding this comment.
The only time I see this invoked_by value is when aws.cloudtrail.user_identity.type == AWSService, how are you comparing these AssumedRole lambda calls to the original service Lambda calls?
There was a problem hiding this comment.
Good catch Isai, you're right. I tested the rule with a detonation script and confirmed your observation in the alert data: invoked_by is null for all the AssumedRole events, so that side of the OR never fires. The user-agent check is carrying the whole detection. Digging into the alert payload also surfaced a related FP I want to flag: the user_agent_values on my detonation alert included awslambda-worker/1.0 rusoto/0.48.0 rust/1.94.0 linux events in the external bucket. That's the Lambda worker service creating CloudWatch log groups using the function's execution role on cold-start. With the rule as written, those land in external_call_count because they don't match exec-env/AWS_Lambda and invoked_by is null, which means a normal Lambda first-invocation could trigger this rule on its own with no attacker involvement.
Proposed fix:
- Drop the dead invoked_by clause
- Add awslambda-worker* to the Lambda runtime UA allow-list
There was a problem hiding this comment.
yes to both suggestions here
| "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html", | ||
| "https://hackingthe.cloud/aws/exploitation/lambda-steal-iam-credentials/", | ||
| ] | ||
| risk_score = 73 |
There was a problem hiding this comment.
tested on Zocalo and it looks too common, you will need to baseline this behavior before assigning high severity
…redentials_used_outside_lambda.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
| Esql.lambda_runtime_call_sum = sum(is_lambda_call), | ||
| Esql.total_call_count = count(), | ||
| Esql.source_ip_values = values(source.ip), | ||
| Esql.user_agent_values = values(user_agent.original), | ||
| Esql.event_action_values = values(event.action) |
There was a problem hiding this comment.
I'd also consider adding some @timestamp fields to support triage later
imays11
left a comment
imays11
left a comment
There was a problem hiding this comment.
Pending just a couple changes, and then looks good, nice rule idea. I agree with Samir about lowering severity if Zocalo shows high volume for this
Pull Request
Issue link(s):
Summary - What I changed
Add detection of a single AWS Lambda execution-role credential (a temporary assumed-role access key) that is used both from inside the Lambda execution environment and from outside it within the same window. When a function runs, its temporary credentials are presented with the Lambda runtime user agent (containing "exec-env/AWS_Lambda") or with a request invoked by "lambda.amazonaws.com". An adversary who exfiltrates those credentials, typically through a server-side request forgery or remote code execution flaw in the function, can replay them from their own host, where the same
access key appears without the Lambda runtime markers and from an unrelated source. Observing the same temporary key
both inside and outside the runtime is a strong indicator of stolen Lambda credentials being abused.
How To Test
Query & data can be assessed in TRADE stack and other telemetry stacks.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist