Remote usage of AWS Lambda's role

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-03-10

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	7 Days
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Credential Access (TA0006) Initial Access (TA0001)
ATT&CK Technique	Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
Severity	Informational

Description

An AWS Lambda's role was used externally of the cloud environment.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

Check if the IAM role was assumed by an unknown identity.
Check what API calls were executed using the access-key.

Variations

Remote command line usage of AWS Lambda's role

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

An AWS Lambda's role was used externally of the cloud environment.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

Check if the IAM role was assumed by an unknown identity.
Check what API calls were executed using the access-key.

Suspicious usage of AWS Lambda's role

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An AWS Lambda's role was used externally of the cloud environment.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

Check if the IAM role was assumed by an unknown identity.
Check what API calls were executed using the access-key.

Suspicious usage of AWS Lambda's role

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An AWS Lambda's role was used externally of the cloud environment.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

Check if the IAM role was assumed by an unknown identity.
Check what API calls were executed using the access-key.

Suspicious usage of AWS Lambda's role

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

An AWS Lambda's role was used externally of the cloud environment.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

Check if the IAM role was assumed by an unknown identity.
Check what API calls were executed using the access-key.

Usage of AWS Lambda's role from a known ASN

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An AWS Lambda's role was used externally of the cloud environment.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

Check if the IAM role was assumed by an unknown identity.
Check what API calls were executed using the access-key.