AWS Lambda function modified by IAM user

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a IAM user modifies an AWS Lambda function. An attacker might modify a lambda function in order to maintain persistence or exfiltrate data being processed at runtime within an AWS environment.

Strategy

This rule lets you monitor the UpdateFunctionCode CloudTrail API call to detect when an AWS Lambda Function is modified.

Triage and response

  1. Determine whether the IAM user: {{@userIdentity.arn}} is expected to update the Lambda function within the @requestParameters.functionName attribute.
  2. If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the action shouldn’t have happened:
    • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
    • Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
    • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.
PREVIEWING: Cyril-Bouchiat/add-vm-package-explorer-doc