Reference
1. List All Lambda Functions
Shows names, runtimes, ARNs, and last modified dates.
1
| aws lambda list-functions --region [region]
|
2. Get Detailed Info on a Function
a. Get full function config (IAM role, runtime, env vars, etc.)
1
| aws lambda get-function-configuration --function-name [function-name]
|
b. Get code download URL + deployment details
Returns a pre-signed S3 URL to download the function code.
1
| aws lambda get-function --function-name [function-name]
|
3. Check Invocation Access
a. Who/what can invoke the function (resource-based policy)?
Look for “Principal”: “*” or cross-account permissions.
1
| aws lambda get-policy --function-name [function-name]
|
4. Identify Triggers / Event Sources
a. For async event sources like SQS, DynamoDB, Kinesis:
1
| aws lambda list-event-source-mappings --function-name [function-name]
|
b. For function URLs (direct HTTP endpoints)
If AuthType is NONE, it may be publicly invokable!
1
| aws lambda get-function-url-config --function-name [function-name]
|
5. Invoke the Function (if allowed)
1
2
3
4
| aws lambda invoke --function-name [function-name] output.json
# Add --payload if the function expects input:
--payload '{"key": "value"}'
|
6. Investigate Attached IAM Role
a. Get the role name from get-function-configuration. Then enumerate:
Look for overly permissive actions (*, PassRole, SecretsManager, etc.)
1
2
3
| aws iam get-role --role-name [role-name]
aws iam list-attached-role-policies --role-name [role-name]
aws iam list-role-policies --role-name [role-name]
|
7. Modify or Replace the Function (if you have perms)
a. Update function code
1
| aws lambda update-function-code --function-name [function-name] --zip-file fileb://payload.zip
|
b. Update configuration (e.g., env variables)
Useful for persistence, exfil, or command injection if roles are over-permissioned.
1
| aws lambda update-function-configuration --function-name [function-name] --environment "Variables={VAR=value}"
|