Lambda

When you’re reviewing Lambda execution roles, here are things you should always check:

• Overly privileged execution roles (roles with permissions far beyond what the function actually needs)

• Permissions like iam:PassRole that allow attaching or passing powerful roles to other AWS services

• Broad service permissions such as ec2:*, s3:*, lambda:*, or other wildcarded service actions

• Access to secrets via secretsmanager:GetSecretValue or unrestricted Parameter Store access

• Exposed secrets in environment variables (API keys, tokens, database credentials)

• Sensitive data in Lambda source code (hardcoded credentials, internal endpoints, trust assumptions)

• Writable Lambda functions that allow you to update code, environment variables, or configuration

• Writable event sources (S3, SQS, SNS, EventBridge) that can be abused to influence Lambda execution

• Lambda functions running in a VPC with access to internal resources or metadata services

• Functions with high-value triggers (CloudFormation, CI/CD pipelines, security automation)

############################
# AWS Lambda Enumeration Cheat Sheet
############################

# 1. List Lambda Functions
aws lambda list-functions --region <region>

# Info: function names, runtimes, ARNs, last modified
# Goal: identify interesting runtimes, legacy code, targets

############################
# 2. Inspect Function Details
############################

# Get full configuration (IAM role, env vars, timeout, memory)
aws lambda get-function-configuration --function-name <function-name>

# Red flags:
# - Environment variables (secrets, API keys)
# - Overpowered IAM role
# - Long timeout / high memory (useful for abuse)

# Get deployment details + code download URL
aws lambda get-function --function-name <function-name>

# Goal: download and analyze source code (hardcoded creds, logic flaws)

############################
# 3. Check Invocation Permissions
############################

# Resource-based policy (who can invoke it)
aws lambda get-policy --function-name <function-name>

# Red flags:
# - "Principal": "*"
# - Cross-account permissions
# - Public access via Function URL

############################
# 4. Identify Triggers / Event Sources
############################

# Async triggers (SQS, DynamoDB, Kinesis)
aws lambda list-event-source-mappings --function-name <function-name>

# Function URL (HTTP endpoint)
aws lambda get-function-url-config --function-name <function-name>

# Red flag:
# - AuthType = NONE  -> public HTTP endpoint

############################
# 5. Invoke Function (if allowed)
############################

aws lambda invoke \
  --function-name <function-name> \
  --payload '{"key":"value"}' \
  output.json

# Goal:
# - Test input validation
# - Trigger privileged actions
# - Abuse backend permissions

############################
# 6. Enumerate Attached IAM Role
############################

# Get role name from get-function-configuration
aws iam get-role --role-name <role-name>

# Managed policies
aws iam list-attached-role-policies --role-name <role-name>

# Inline policies
aws iam list-role-policies --role-name <role-name>

# Red flags:
# - "*"
# - iam:PassRole
# - secretsmanager:GetSecretValue
# - s3:*, dynamodb:*, ec2:*

############################
# 7. Modify Function (Privilege Escalation / Persistence)
############################

# Update function code
aws lambda update-function-code \
  --function-name <function-name> \
  --zip-file fileb://payload.zip

# Update environment variables
aws lambda update-function-configuration \
  --function-name <function-name> \
  --environment "Variables={KEY=value}"

# Goal:
# - Persistence
# - Credential exfiltration
# - Lateral movement via IAM role

############################
# Lambda = IAM + Code + Triggers
# Always enumerate all three
############################