Detecting Serverless Function Injection

When to Use

• Auditing Lambda/Cloud Functions for code injection vulnerabilities where unsanitized event data flows into dangerous runtime functions (eval, exec, child_process.exec, os.system)
• Investigating incidents where an attacker modified function code or layers to establish persistence or exfiltrate data from the serverless environment
• Detecting privilege escalation paths where an adversary with lambda:UpdateFunctionCode and iam:PassRole can assume higher-privilege execution roles
• Analyzing event source poisoning attacks where malicious payloads are injected through S3 object uploads, SQS messages, DynamoDB stream records, or API Gateway requests that trigger function execution
• Building detection rules for SOC teams monitoring serverless workloads for unauthorized function modifications, layer additions, and suspicious invocation patterns

Do not use for load testing or denial-of-service simulation against serverless functions, for testing against production functions processing live customer data without explicit authorization, or for modifying IAM policies in shared accounts without change management approval.

Prerequisites

• AWS account access with read permissions for Lambda, CloudTrail, IAM, CloudWatch Logs, and EventBridge
• AWS CLI v2 configured with appropriate credentials and region
• CloudTrail enabled with Data Events for Lambda (captures Invoke events) and Management Events (captures UpdateFunctionCode, UpdateFunctionConfiguration, CreateFunction)
• Python 3.9+ with boto3, bandit (Python SAST), and semgrep for static analysis
• Access to function source code or deployment packages for static analysis
• CloudWatch Logs Insights access for querying Lambda execution logs