Lambda function exploitation targets serverless compute functions in AWS to achieve code execution, data exfiltration, privilege escalation, or lateral movement within cloud environments. As organizations adopt serverless architectures, Lambda functions become a significant and often under-assessed attack surface.
Lambda exploitation targets multiple vectors. Event injection exploits the data sources that trigger Lambda functions: malicious payloads in S3 object names, API Gateway requests, SNS messages, or DynamoDB streams can trigger injection vulnerabilities in function code. Overprivileged execution roles allow attackers who compromise a function to access resources far beyond what the function requires. Environment variable exposure can leak secrets, API keys, and database credentials stored in plaintext. Dependency confusion attacks target the function deployment pipeline by publishing malicious packages with names matching internal libraries. The /tmp directory persists between warm invocations, enabling data persistence and cross-invocation attacks. Attackers can also modify function code or configuration if they gain iam:UpdateFunctionCode or lambda:UpdateFunctionConfiguration permissions.
Serverless functions process sensitive data, connect to databases, and interact with other cloud services. Their event-driven nature means they accept input from diverse, sometimes untrusted sources. The ephemeral nature of Lambda creates a false sense of security where organizations assume short execution times limit attack impact. In reality, a compromised Lambda function with an overprivileged role can access any resource the role permits, regardless of execution duration.
CDA covers Lambda exploitation within the VSD domain as part of cloud-native security assessment. Theater missions include serverless application testing scenarios. Our approach emphasizes that serverless does not mean security-less, and that IAM governance for function roles is the primary control point.