New AWS Lambda Function URL Configuration Created

Rule Info

Name
New AWS Lambda Function URL Configuration Created
Author
Ivan Saakov
Description
Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
Reference
https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html
Date
2024-12-19 00:00:00
Modified
None
Id
ec541962-c05a-4420-b9ea-84de072d18f4
Tags
attack.initial-access attack.privilege-escalation
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ec541962-c05a-4420-b9ea-84de072d18f4

Rule History

Author
Title
Date
Commit
Ivan S
Merge PR #5016 from @saakovv - Add `New AWS Lambda Function URL Configuration Created`
2024-12-19
aec72e101
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022