AWS Lambda Event Source Mapping Creation

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS Lambda Event Source Mapping Creation

edit

Identifies the creation of an AWS Lambda event source mapping, which connects an event source such as an Amazon SQS queue, an Amazon Kinesis or DynamoDB stream, an Amazon MSK or self-managed Apache Kafka topic, or an Amazon MQ broker to a Lambda function so the function is automatically invoked when new records arrive. Adversaries with "lambda:CreateEventSourceMapping" permissions can abuse this to establish stealthy, event-driven persistence and execution, or to continuously siphon records from a stream or queue into attacker-controlled function code. Because the function then runs on its own whenever the source produces events, this grants durable execution without any further interactive activity by the adversary.

Rule type: query

Rule indices:

logs-aws.cloudtrail-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS CloudTrail
Data Source: AWS Lambda
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS Lambda Event Source Mapping Creation

AWS Lambda event source mappings poll an event source (Amazon SQS, Kinesis or DynamoDB streams, Amazon MSK or self-managed Kafka, or Amazon MQ) and invoke a target function as records arrive. Creating a mapping is a low-frequency, high-impact configuration change: it can establish event-driven persistence and execution, or quietly relay sensitive records from a stream or queue into attacker-controlled code.

This rule detects successful CreateEventSourceMapping calls. Investigate whether the principal, the target function, and the event source are expected for the environment.

Possible investigation steps

Identify the actor in aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.type, and review source.ip and user_agent.original to determine whether the call came from the console, CLI, SDK, or automation.
Inspect aws.cloudtrail.request_parameters for the functionName/functionArn and the eventSourceArn to identify the target function and the source queue, stream, topic, or broker.
Determine whether the target function and the event source belong to the same application and account, and whether the function code, role, and recent changes are trusted (correlate with CreateFunction, UpdateFunctionCode, and AddPermission).
Review whether the event source contains sensitive data (for example a DynamoDB stream or SQS queue carrying business records) that the mapping could be used to exfiltrate.
Pivot on the same principal and access key for other recent Lambda, IAM, or data-plane activity.

False positive analysis

Event source mappings are a normal building block of serverless data pipelines and queue/stream consumers. Mappings created by approved deployment roles, CI/CD pipelines, or application teams are expected. Tune on aws.cloudtrail.user_identity.arn, user_agent.original, or known automation roles after validation.

Response and remediation

If the mapping is unauthorized, disable or delete it (DeleteEventSourceMapping) and review the target function’s code, configuration, and execution role.
Determine whether records were processed by the function while the mapping was active and assess potential data exposure.
Rotate or restrict credentials for the principal that created the mapping if compromise is suspected, and constrain lambda:CreateEventSourceMapping to a small set of trusted roles.

Additional information

Rule query

edit

data_stream.dataset: "aws.cloudtrail"
    and event.provider: "lambda.amazonaws.com"
    and event.action: CreateEventSourceMapping*
    and event.outcome: "success"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Serverless Execution
- ID: T1648
- Reference URL: https://attack.mitre.org/techniques/T1648/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Modify Cloud Compute Infrastructure
- ID: T1578
- Reference URL: https://attack.mitre.org/techniques/T1578/
Sub-technique:
- Name: Modify Cloud Compute Configurations
- ID: T1578.005
- Reference URL: https://attack.mitre.org/techniques/T1578/005/

« AWS Lambda Function Policy Updated to Allow Cross-Account Invocation AWS Lambda Function URL Created with Public Access »