Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
7 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An AWS Lambda's token was used externally of the cloud environment.
Attacker's Goals
Exfiltrate token and abuse it remotely.
Investigative actions
- Check if the role is attached to the Lambda.
- Check if the IAM role was assumed by a different identity.
- Check what API calls were executed by the access-key.
Variations
Remote command line usage of AWS Lambda's tokenSuspicious usage of AWS Lambda's role
Suspicious usage of AWS Lambda's role
Suspicious usage of AWS Lambda's token
Usage of AWS Lambda's token from known ASN