Loading

AWS Lambda Event Source Mapping Creation

Identifies the creation of an AWS Lambda event source mapping, which connects an event source such as an Amazon SQS queue, an Amazon Kinesis or DynamoDB stream, an Amazon MSK or self-managed Apache Kafka topic, or an Amazon MQ broker to a Lambda function so the function is automatically invoked when new records arrive. Adversaries with "lambda:CreateEventSourceMapping" permissions can abuse this to establish stealthy, event-driven persistence and execution, or to continuously siphon records from a stream or queue into attacker-controlled function code. Because the function then runs on its own whenever the source produces events, this grants durable execution without any further interactive activity by the adversary.

Rule type: query
Rule indices:

  • logs-aws.cloudtrail-*

Rule Severity: low
Risk Score: 21
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS CloudTrail
  • Data Source: AWS Lambda
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

AWS Lambda event source mappings poll an event source (Amazon SQS, Kinesis or DynamoDB streams, Amazon MSK or self-managed Kafka, or Amazon MQ) and invoke a target function as records arrive. Creating a mapping is a low-frequency, high-impact configuration change: it can establish event-driven persistence and execution, or quietly relay sensitive records from a stream or queue into attacker-controlled code.

This rule detects successful CreateEventSourceMapping calls. Investigate whether the principal, the target function, and the event source are expected for the environment.

  • Identify the actor in aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.type, and review source.ip and user_agent.original to determine whether the call came from the console, CLI, SDK, or automation.
  • Inspect aws.cloudtrail.request_parameters for the functionName/functionArn and the eventSourceArn to identify the target function and the source queue, stream, topic, or broker.
  • Determine whether the target function and the event source belong to the same application and account, and whether the function code, role, and recent changes are trusted (correlate with CreateFunction, UpdateFunctionCode, and AddPermission).
  • Review whether the event source contains sensitive data (for example a DynamoDB stream or SQS queue carrying business records) that the mapping could be used to exfiltrate.
  • Pivot on the same principal and access key for other recent Lambda, IAM, or data-plane activity.
  • Event source mappings are a normal building block of serverless data pipelines and queue/stream consumers. Mappings created by approved deployment roles, CI/CD pipelines, or application teams are expected. Tune on aws.cloudtrail.user_identity.arn, user_agent.original, or known automation roles after validation.
  • If the mapping is unauthorized, disable or delete it (DeleteEventSourceMapping) and review the target function's code, configuration, and execution role.
  • Determine whether records were processed by the function while the mapping was active and assess potential data exposure.
  • Rotate or restrict credentials for the principal that created the mapping if compromise is suspected, and constrain lambda:CreateEventSourceMapping to a small set of trusted roles.
data_stream.dataset: "aws.cloudtrail"
    and event.provider: "lambda.amazonaws.com"
    and event.action: CreateEventSourceMapping*
    and event.outcome: "success"
		

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK