# AWS - Lambda Post Exploitation {{#include ../../../../banners/hacktricks-training.md}} ## Lambda 詳細は以下を参照してください: {{#ref}} ../../aws-services/aws-lambda-enum.md {{#endref}} ### Exfilrtate Lambda Credentials Lambda は実行時に環境変数を使ってクレデンシャルを注入します。これらにアクセスできれば(`/proc/self/environ` を読み取るか脆弱な関数自体を利用して)、自分でそのクレデンシャルを使用できます。これらはデフォルトの変数名 `AWS_SESSION_TOKEN`, `AWS_SECRET_ACCESS_KEY`, および `AWS_ACCESS_KEY_ID` に保存されています。 デフォルトでは、これらは cloudwatch log group(その名前は `AWS_LAMBDA_LOG_GROUP_NAME` に格納されています)への書き込みや任意のロググループの作成が可能ですが、Lambda 関数には用途に応じてより多くの権限が割り当てられていることがよくあります。 ### `lambda:Delete*` lambda:Delete* が付与された攻撃者は Lambda 関数、バージョン/エイリアス、レイヤー、event source mappings、およびその他関連する設定を削除することができます。 ```bash aws lambda delete-function \ --function-name ``` ### Steal Others Lambda URL Requests If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them. {{#ref}} aws-warm-lambda-persistence.md {{#endref}} ### Steal Others Lambda URL Requests & Extensions Requests Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests. {{#ref}} ../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md {{#endref}} ### AWS Lambda – VPC Egress Bypass Force a Lambda function out of a restricted VPC by updating its configuration with an empty VpcConfig (SubnetIds=[], SecurityGroupIds=[]). The function will then run in the Lambda-managed networking plane, regaining outbound internet access and bypassing egress controls enforced by private VPC subnets without NAT. {{#ref}} aws-lambda-vpc-egress-bypass.md {{#endref}} ### AWS Lambda – Runtime Pinning/Rollback Abuse Abuse `lambda:PutRuntimeManagementConfig` to pin a function to a specific runtime version (Manual) or freeze updates (FunctionUpdate). This preserves compatibility with malicious layers/wrappers and can keep the function on an outdated, vulnerable runtime to aid exploitation and long-term persistence. {{#ref}} aws-lambda-runtime-pinning-abuse.md {{#endref}} ### AWS Lambda – Log Siphon via LoggingConfig.LogGroup Redirection Abuse `lambda:UpdateFunctionConfiguration` advanced logging controls to redirect a function’s logs to an attacker-chosen CloudWatch Logs log group. This works without changing code or the execution role (most Lambda roles already include `logs:CreateLogGroup/CreateLogStream/PutLogEvents` via `AWSLambdaBasicExecutionRole`). If the function prints secrets/request bodies or crashes with stack traces, you can collect them from the new log group. {{#ref}} aws-lambda-loggingconfig-redirection.md {{#endref}} ### AWS - Lambda Function URL Public Exposure Turn a private Lambda Function URL into a public unauthenticated endpoint by switching the Function URL AuthType to NONE and attaching a resource-based policy that grants lambda:InvokeFunctionUrl to everyone. This enables anonymous invocation of internal functions and can expose sensitive backend operations. {{#ref}} aws-lambda-function-url-public-exposure.md {{#endref}} ### AWS Lambda – Event Source Mapping Target Hijack Abuse `UpdateEventSourceMapping` to change the target Lambda function of an existing Event Source Mapping (ESM) so that records from DynamoDB Streams, Kinesis, or SQS are delivered to an attacker-controlled function. This silently diverts live data without touching producers or the original function code. {{#ref}} aws-lambda-event-source-mapping-hijack.md {{#endref}} ### AWS Lambda – EFS Mount Injection data exfiltration Abuse `lambda:UpdateFunctionConfiguration` to attach an existing EFS Access Point to a Lambda, then deploy trivial code that lists/reads files from the mounted path to exfiltrate shared secrets/config that the function previously couldn’t access. {{#ref}} aws-lambda-efs-mount-injection.md {{#endref}} {{#include ../../../../banners/hacktricks-training.md}}