UpdateFunctionConfiguration20150331v2
Event
Updates Lambda function configuration including environment variables, IAM role, or layers — used to inject credentials or swap execution context.
Security Context
- Modifying a Lambda function’s configuration can change its execution role to a more privileged one, inject malicious environment variables, or add compromised layers — all without altering the function’s code.
- Adversaries use configuration updates to implant persistent backdoors by swapping the IAM role for elevated access or injecting layer code that executes alongside the legitimate function on every invocation.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Execution
Techniques:
- T1525 — Implant Internal Image — Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker ...
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.