Skip to content

AddPermission20150331v2

AWS

AddPermission20150331v2

service: AWS - Lambda
techniques:

Event

Adds a permission to a Lambda function’s resource-based policy, allowing specified principals to invoke the function.

Security Context

  • Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.
  • Serverless function invocation can be abused to execute arbitrary code within the cloud environment without provisioning persistent infrastructure.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — operating from a long-term IAM access key — grants the adversary-controlled external account 555666661337 permission to invoke the production OCCAMY log-processor Lambda. Statement ID is innocuous-looking (occamy-cross-account-trigger) so it blends with legitimate cross-account integrations. The adversary can later invoke this Lambda from 555666661337 to run code in the prod account’s network with the function’s execution role’s credentials (T1546 / T1098).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:42:11Z",
"eventSource": "lambda.amazonaws.com",
"eventName": "AddPermission20150331v2",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"functionName": "occamy-log-processor",
"statementId": "occamy-cross-account-trigger",
"action": "lambda:InvokeFunction",
"principal": "555666661337"
},
"responseElements": {
"statement": "{\"Sid\":\"occamy-cross-account-trigger\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::555666661337:root\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:555123456789:function:occamy-log-processor\"}"
},
"requestID": "90000000-0000-4000-8000-000001100100",
"eventID": "90000000-0000-4000-8000-000001100101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "lambda.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence Execution

Techniques:
  • T1546 — Event Triggered Execution — Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cl...
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...