AWS Lambda Function Invoked by an Unusual Principal
editAWS Lambda Function Invoked by an Unusual Principal
editIdentifies the first time within the prior 14 days that a principal directly invokes an AWS Lambda function in an account, excluding invocations made on behalf of AWS services (normal event-source triggers). Adversaries who compromise credentials or move laterally may directly invoke functions to execute code, retrieve data returned by a function, or abuse an over-permissioned execution role. Direct, ad hoc invocation by a principal that does not normally call Lambda deviates from the usual event-driven invocation pattern and is worth reviewing. This rule relies on AWS Lambda data event logging, which is not enabled by default.
Rule type: new_terms
Rule indices:
- logs-aws.cloudtrail-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS Lambda
- Use Case: Threat Detection
- Tactic: Execution
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating AWS Lambda Function Invoked by an Unusual Principal
Most Lambda invocations are driven by event sources (S3, EventBridge, SQS, API Gateway, etc.), which CloudTrail records with aws.cloudtrail.user_identity.invoked_by set to the calling service. A principal invoking a function directly (via the SDK, CLI, or console) is comparatively rare and, when it comes from an identity that does not normally do so, can indicate lateral movement, credential abuse, or data retrieval from a function. This rule uses a new terms approach to surface the first time a given principal directly invokes a function in an account within the prior 14 days.
Possible investigation steps
-
Review
aws.cloudtrail.user_identity.arn,aws.cloudtrail.user_identity.type, andaws.cloudtrail.user_identity.access_key_idto identify the actor, andsource.ip/user_agent.originalto determine how the call was made. -
Inspect
aws.cloudtrail.request_parametersfor thefunctionNameand map it to its application, owner, and sensitivity. - Determine whether the principal is expected to invoke functions directly and whether the activity aligns with an approved operation, test, or deployment.
- Correlate with recent activity by the same principal or access key, such as credential issuance, role assumption, or other data-plane access, and check whether the credential was recently seen from an unusual source.
False positive analysis
-
Direct invocation is a normal operational and testing activity. Confirm whether the principal is a known operator or automation identity and exclude it on
aws.cloudtrail.user_identity.arnafter validation.
Response and remediation
- If the invocation is unauthorized, review what the function returns and accesses, and assess data exposure.
-
Rotate or restrict credentials for the principal if compromise is suspected, and constrain
lambda:InvokeFunctionto the identities and services that require it.
Additional information
Setup
editSetup
This rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration
(aws.cloudtrail data stream). Lambda invocation (Invoke) is a data-plane event and is NOT logged by default; enable
data event logging for Lambda functions in the trail (optionally scoped to sensitive functions to manage volume).
Rule query
editdata_stream.dataset: "aws.cloudtrail"
and event.provider: "lambda.amazonaws.com"
and event.action: Invoke*
and event.outcome: "success"
and not aws.cloudtrail.user_identity.invoked_by: *
and aws.cloudtrail.user_identity.arn: *
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Serverless Execution
- ID: T1648
- Reference URL: https://attack.mitre.org/techniques/T1648/