Lambda uses environment variables to inject credentials at runtime. If you can get access to them (by reading /proc/self/environ or using the vulnerable function itself), you can use them yourself. They live in the default variable names AWS_SESSION_TOKEN, AWS_SECRET_ACCESS_KEY, and AWS_ACCESS_KEY_ID.

Per impostazione predefinita, queste avranno accesso per scrivere in un cloudwatch log group (il cui nome è memorizzato in AWS_LAMBDA_LOG_GROUP_NAME), oltre che creare log group arbitrari; tuttavia le funzioni lambda spesso hanno permessi aggiuntivi assegnati in base al loro uso previsto.

Steal Others Lambda URL Requests

If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them.

{{#ref}} aws-warm-lambda-persistence.md {{#endref}}

Steal Others Lambda URL Requests & Extensions Requests

Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.

{{#ref}} ../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md {{#endref}}

AWS Lambda – VPC Egress Bypass

Force a Lambda function out of a restricted VPC by updating its configuration with an empty VpcConfig (SubnetIds=[], SecurityGroupIds=[]). The function will then run in the Lambda-managed networking plane, regaining outbound internet access and bypassing egress controls enforced by private VPC subnets without NAT.

Forza una Lambda function fuori da una VPC ristretta aggiornando la sua configurazione con un VpcConfig vuoto (SubnetIds=[], SecurityGroupIds=[]). La function verrà eseguita quindi nel Lambda-managed networking plane, riacquistando l'accesso internet in uscita e bypassando i controlli di egress imposti dalle private VPC subnets senza NAT.

{{#ref}} aws-lambda-vpc-egress-bypass.md {{#endref}}

AWS Lambda – Runtime Pinning/Rollback Abuse

Abuse lambda:PutRuntimeManagementConfig to pin a function to a specific runtime version (Manual) or freeze updates (FunctionUpdate). This preserves compatibility with malicious layers/wrappers and can keep the function on an outdated, vulnerable runtime to aid exploitation and long-term persistence.

Abusa di lambda:PutRuntimeManagementConfig per fissare una funzione su una specifica runtime version (Manual) o congelare gli aggiornamenti (FunctionUpdate). Questo preserva la compatibilità con malicious layers/wrappers e può mantenere la funzione su un runtime obsoleto e vulnerabile per facilitare l'exploitation e la persistenza a lungo termine.

{{#ref}} aws-lambda-runtime-pinning-abuse.md {{#endref}}

AWS Lambda – Log Siphon via LoggingConfig.LogGroup Redirection

Abuse lambda:UpdateFunctionConfiguration advanced logging controls to redirect a function’s logs to an attacker-chosen CloudWatch Logs log group. This works without changing code or the execution role (most Lambda roles already include logs:CreateLogGroup/CreateLogStream/PutLogEvents via AWSLambdaBasicExecutionRole). If the function prints secrets/request bodies or crashes with stack traces, you can collect them from the new log group.

Abusa dei controlli di advanced logging di lambda:UpdateFunctionConfiguration per reindirizzare i log di una funzione verso un CloudWatch Logs log group scelto dall'attacker. Questo funziona senza cambiare il codice o l'execution role (la maggior parte dei ruoli Lambda include già logs:CreateLogGroup/CreateLogStream/PutLogEvents tramite AWSLambdaBasicExecutionRole). Se la funzione stampa secrets/request bodies o va in crash con stack traces, puoi raccoglierli dal nuovo log group.

{{#ref}} aws-lambda-loggingconfig-redirection.md {{#endref}}

AWS - Lambda Function URL Public Exposure

Turn a private Lambda Function URL into a public unauthenticated endpoint by switching the Function URL AuthType to NONE and attaching a resource-based policy that grants lambda:InvokeFunctionUrl to everyone. This enables anonymous invocation of internal functions and can expose sensitive backend operations.

Trasforma una Lambda Function URL privata in un endpoint pubblico non autenticato cambiando il Function URL AuthType in NONE e allegando una resource-based policy che concede lambda:InvokeFunctionUrl a everyone. Questo permette l'invocazione anonima di funzioni interne e può esporre operazioni backend sensibili.

{{#ref}} aws-lambda-function-url-public-exposure.md {{#endref}}

AWS Lambda – Event Source Mapping Target Hijack

Abuse UpdateEventSourceMapping to change the target Lambda function of an existing Event Source Mapping (ESM) so that records from DynamoDB Streams, Kinesis, or SQS are delivered to an attacker-controlled function. This silently diverts live data without touching producers or the original function code.

Abusa di UpdateEventSourceMapping per cambiare la funzione Lambda target di un Event Source Mapping (ESM) esistente in modo che i record da DynamoDB Streams, Kinesis, o SQS vengano recapitati a una funzione controllata dall'attacker. Questo devia silenziosamente dati live senza toccare i producer o il codice della funzione originale.

{{#ref}} aws-lambda-event-source-mapping-hijack.md {{#endref}}

AWS Lambda – EFS Mount Injection data exfiltration

Abuse lambda:UpdateFunctionConfiguration to attach an existing EFS Access Point to a Lambda, then deploy trivial code that lists/reads files from the mounted path to exfiltrate shared secrets/config that the function previously couldn’t access.

Abusa di lambda:UpdateFunctionConfiguration per allegare un EFS Access Point esistente a una Lambda, quindi deploya codice triviale che lista/legge file dal path montato per exfiltrare shared secrets/config a cui la funzione prima non poteva accedere.

{{#ref}} aws-lambda-efs-mount-injection.md {{#endref}}

README.md Unescape Escape

AWS - Lambda Post Exploitation

Lambda

Exfilrtate Lambda Credentials