# AWS - Lambda Post Exploitation

{{#include ../../../../banners/hacktricks-training.md}}

## Lambda

For more information check:

{{#ref}}
../../aws-services/aws-lambda-enum.md
{{#endref}}

### Exfilrtate Lambda Credentials

Lambda uses environment variables to inject credentials at runtime. If you can get access to them (by reading `/proc/self/environ` or using the vulnerable function itself), you can use them yourself. They live in the default variable names `AWS_SESSION_TOKEN`, `AWS_SECRET_ACCESS_KEY`, and `AWS_ACCESS_KEY_ID`. 

By default, these will have access to write to a cloudwatch log group (the name of which is stored in `AWS_LAMBDA_LOG_GROUP_NAME`), as well as to create arbitrary log groups, however lambda functions frequently have more permissions assigned based on their intended use.

### Steal Others Lambda URL Requests

If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them.

{{#ref}}
aws-warm-lambda-persistence.md
{{#endref}}

### Steal Others Lambda URL Requests & Extensions Requests

Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.

{{#ref}}
../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
{{#endref}}

{{#include ../../../../banners/hacktricks-training.md}}