detecting-serverless-function-injection
Installation
SKILL.md
Detecting Serverless Function Injection
When to Use
- Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions (
eval,exec,child_process.exec,os.system) - Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment
- Detecting privilege escalation paths where an adversary with
lambda:UpdateFunctionCodeandiam:PassRolecan assume higher-privilege execution roles - Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB stream records, or API Gateway requests that trigger function execution
- Building detection rules for SOC teams monitoring serverless workloads for unauthorized function modifications, layer additions, and suspicious invocation patterns
Do not use for load testing or denial-of-service simulation against serverless functions, for testing against production functions processing live customer data without explicit authorization, or for modifying IAM policies in shared accounts without change management approval.
Prerequisites
- AWS account access with read permissions for Lambda, CloudTrail, IAM, CloudWatch Logs, and EventBridge
- AWS CLI v2 configured with appropriate credentials and region
- CloudTrail enabled with Data Events for Lambda (captures
Invokeevents) and Management Events (capturesUpdateFunctionCode,UpdateFunctionConfiguration,CreateFunction) - Python 3.9+ with
boto3,bandit(Python SAST), andsemgrepfor static analysis - Access to function source code or deployment packages for static analysis
- CloudWatch Logs Insights access for querying Lambda execution logs