AWS Lambda Function Invoked from an Unusual Source ASN
editAWS Lambda Function Invoked from an Unusual Source ASN
editIdentifies an AWS Lambda function invoked directly by a principal from a source network (ASN) not seen for that principal in the prior 10 days, excluding common cloud provider networks. Direct invocation from an unfamiliar external network can indicate use of stolen execution-role or user credentials from attacker-controlled infrastructure to execute functions or retrieve the data they return. This rule relies on AWS Lambda data event logging, which is not enabled by default.
Rule type: new_terms
Rule indices:
- logs-aws.cloudtrail-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS Lambda
- Use Case: Threat Detection
- Tactic: Execution
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating AWS Lambda Function Invoked from an Unusual Source ASN
Lambda execution-role credentials and user credentials are frequently abused after theft (for example via SSRF or RCE against a function, or leaked access keys). When such credentials are replayed from attacker infrastructure, the resulting direct Invoke calls originate from a network the legitimate principal has not used. This rule uses a new terms approach over the source ASN organization and the principal, excluding common cloud provider networks, to surface invocation from unfamiliar external networks.
Possible investigation steps
-
Review
source.ip,source.as.organization.name, andsource.geofor the invoking network and determine whether it is expected for the principal inaws.cloudtrail.user_identity.arn. -
Inspect
aws.cloudtrail.request_parametersfor thefunctionNameanduser_agent.originalfor the client used. -
Determine whether the credential (
aws.cloudtrail.user_identity.access_key_id) was recently seen used elsewhere or outside the Lambda runtime, which would corroborate credential theft. - Correlate with other activity by the same principal from the same network, including data-plane access, IAM, or STS calls.
False positive analysis
- New legitimate networks (offices, VPNs, home IPs, new egress) will generate this alert. Confirm the principal and network are expected and exclude known operator networks or identities after validation.
- If source ASN is legitimate and expected, add as an exclusion to reduce false-positives.
Response and remediation
- If credential abuse is confirmed, rotate or revoke the affected credentials and execution-role permissions, and review what the invoked function accessed or returned.
-
Constrain
lambda:InvokeFunctionto expected identities and, where possible, restrict invocation to known networks using IAM conditions.
Additional information
Setup
editSetup
This rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration
(aws.cloudtrail data stream). Lambda invocation (Invoke) is a data-plane event and is NOT logged by default; enable
data event logging for Lambda functions in the trail (optionally scoped to sensitive functions to manage volume). Source
ASN enrichment (source.as.organization.name) must be available on the ingested events.
Rule query
editdata_stream.dataset: "aws.cloudtrail"
and event.provider: "lambda.amazonaws.com"
and event.action: Invoke*
and event.outcome: "success"
and not aws.cloudtrail.user_identity.invoked_by: *
and source.as.organization.name:(* and not (Amazon* or AMAZON* or Google* or GOOGLE* or Microsoft* or MICROSOFT*))
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Serverless Execution
- ID: T1648
- Reference URL: https://attack.mitre.org/techniques/T1648/