Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

New AWS Lambda Function URL Configuration Created

Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ivan SaakovCreated Thu Dec 19ec541962-c05a-4420-b9ea-84de072d18f4cloud
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic1 selector
detection:
    selection:
        eventSource: lambda.amazonaws.com
        eventName: 'CreateFunctionUrlConfig'
    condition: selection
False Positives

Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

References
1
Resolving title…
docs.aws.amazon.com
2
Resolving title…
cloud.hacktricks.xyz
3
Resolving title…
wiz.io
MITRE ATT&CK
Rule Metadata
Rule ID
ec541962-c05a-4420-b9ea-84de072d18f4
Status
experimental
Level
medium
Type
Detection
Created
Thu Dec 19
Author
Ivan Saakov
Path
rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml
Raw Tags
attack.initial-accessattack.privilege-escalation
View on GitHub