Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when an AWS Lambda function resource-based policy is modified by an IAM user. An attacker might modify an AWS Lambda function’s resource-based policy in order to maintain persistence or allow its invocation from an external account.

Strategy

This rule lets you monitor the AddPermission CloudTrail API call to detect when an AWS Lambda Function’s resource-based policy is modified.

Triage and response

1. Determine whether the IAM user: {{@userIdentity.arn}} is expected to update the Lambda function within the @requestParameters.functionName attribute.
2. Investigate the {{@responseElements.statement}} attribute for policy modification details.
3. If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
4. If the action shouldn’t have happened:
   • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
   • Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
   • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
5. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.