From 9c6f1cc3ff776b0c6f7334f84825cd535e61a867 Mon Sep 17 00:00:00 2001 From: bryans3c Date: Thu, 18 Jun 2026 10:36:49 +0200 Subject: [PATCH 1/7] [New Rule] AWS Lambda Function Invoked Cross-Account --- ...lambda_function_invoked_cross_account.toml | 145 ++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml diff --git a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml new file mode 100644 index 00000000000..caf58f3f754 --- /dev/null +++ b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml @@ -0,0 +1,145 @@ +[metadata] +creation_date = "2026/06/18" +integration = ["aws"] +maturity = "production" +updated_date = "2026/06/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies an AWS Lambda function invoked by a principal whose AWS account differs from the account that owns the +function (a cross-account invocation). The caller's account is parsed from the invoking principal's ARN and compared to +the function account. Adversaries who have been granted invoke permission on a function from an external account, or who +operate from a separate attacker-controlled account, can use cross-account invocation to execute functions or retrieve +the data they return. This is the data-plane counterpart to detecting the cross-account grant itself, and relies on AWS +Lambda data event logging, which is not enabled by default. +""" +false_positives = [ + """ + Multi-account architectures and partner integrations legitimately invoke functions across account boundaries. Verify + the caller account, the principal in `aws.cloudtrail.user_identity.arn`, and the function against approved + cross-account access, and exclude known trusted accounts or identities after validation. + """, +] +from = "now-60m" +interval = "60m" +language = "esql" +license = "Elastic License v2" +name = "AWS Lambda Function Invoked Cross-Account" +note = """## Triage and analysis + +### Investigating AWS Lambda Function Invoked Cross-Account + +A Lambda function invoked by a principal from a different AWS account indicates cross-account invocation - the data-plane +realization of a cross-account resource-policy grant. CloudTrail data events record the invoking principal's ARN (which +contains the caller's account) and the function's owning account. When these differ, an external account executed the +function. This can be a legitimate multi-account integration or an adversary using granted or attacker-controlled +cross-account access. + +#### Possible investigation steps + +- Review `Esql.caller_account` (the invoking principal's account) versus `Esql.function_account` (the invoked + function's owning account) and confirm whether the caller account is a known, trusted account. +- Identify the principal in `aws.cloudtrail.user_identity.arn` and the functions invoked (`Esql.functions`). +- Determine whether a corresponding `AddPermission` cross-account grant exists for the function and whether it was + expected (correlate with the cross-account resource-policy rule). +- Review `Esql.source_ips` and recent activity from the caller account for other cross-account actions. + +### False positive analysis + +- Cross-account invocation is common in multi-account architectures and partner integrations. Confirm the caller account + is approved and exclude known trusted accounts or identities after validation. + +### Response and remediation + +- If the cross-account access is unauthorized, remove the function's cross-account resource-policy statement + (`RemovePermission`) and review what the function accessed or returned. +- Constrain `lambda:InvokeFunction` grants to approved accounts and review the function's execution-role permissions. + +### Additional information + +- [Lambda resource-based policies](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html) +- [Logging Lambda data events with CloudTrail](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html) +""" +references = [ + "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html", + "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html", +] +risk_score = 47 +rule_id = "49002bbe-7aea-4146-91eb-b2b683bf5ed5" +setup = """## Setup + +This rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration. Lambda +invocation (`Invoke`) is a data-plane event and is NOT logged by default; enable data event logging for Lambda functions +in the trail (optionally scoped to sensitive functions to manage volume). +""" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws.cloudtrail-* + +| where + event.provider == "lambda.amazonaws.com" + and event.action like "Invoke*" + and event.outcome == "success" + and aws.cloudtrail.user_identity.arn IS NOT NULL + and aws.cloudtrail.user_identity.invoked_by IS NULL + and aws.cloudtrail.request_parameters IS NOT NULL + +| grok aws.cloudtrail.user_identity.arn """:(?[0-9]{12}):""" +| grok aws.cloudtrail.request_parameters """functionName=arn:aws:lambda:[a-z0-9-]*:(?[0-9]{12}):""" + +| where Esql.caller_account IS NOT NULL and Esql.function_account IS NOT NULL and Esql.caller_account != Esql.function_account + +| stats + Esql.invocation_count = count(*), + Esql.source_ips = values(source.ip) + by + aws.cloudtrail.user_identity.arn, + Esql.caller_account, + Esql.function_account + +| keep + aws.cloudtrail.user_identity.arn, + Esql.caller_account, + Esql.function_account, + Esql.invocation_count, + Esql.source_ips + +| sort Esql.invocation_count desc +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.investigation_fields] +field_names = [ + "aws.cloudtrail.user_identity.arn", + "Esql.caller_account", + "Esql.function_account", + "Esql.invocation_count", + "Esql.source_ips", +] + From 6b18f4305da2427ff5673e4361c6f43d371f7cf4 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Thu, 18 Jun 2026 15:41:09 +0200 Subject: [PATCH 2/7] Update execution_lambda_function_invoked_cross_account.toml --- ..._lambda_function_invoked_cross_account.toml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml index caf58f3f754..3542d5bda90 100644 --- a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml +++ b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml @@ -30,30 +30,22 @@ note = """## Triage and analysis ### Investigating AWS Lambda Function Invoked Cross-Account -A Lambda function invoked by a principal from a different AWS account indicates cross-account invocation - the data-plane -realization of a cross-account resource-policy grant. CloudTrail data events record the invoking principal's ARN (which -contains the caller's account) and the function's owning account. When these differ, an external account executed the -function. This can be a legitimate multi-account integration or an adversary using granted or attacker-controlled -cross-account access. +A Lambda function invoked by a principal from a different AWS account indicates cross-account invocation - the data-plane realization of a cross-account resource-policy grant. CloudTrail data events record the invoking principal's ARN (which contains the caller's account) and the function's owning account. When these differ, an external account executed the function. This can be a legitimate multi-account integration or an adversary using granted or attacker-controlled cross-account access. #### Possible investigation steps -- Review `Esql.caller_account` (the invoking principal's account) versus `Esql.function_account` (the invoked - function's owning account) and confirm whether the caller account is a known, trusted account. +- Review `Esql.caller_account` (the invoking principal's account) versus `Esql.function_account` (the invoked function's owning account) and confirm whether the caller account is a known, trusted account. - Identify the principal in `aws.cloudtrail.user_identity.arn` and the functions invoked (`Esql.functions`). -- Determine whether a corresponding `AddPermission` cross-account grant exists for the function and whether it was - expected (correlate with the cross-account resource-policy rule). +- Determine whether a corresponding `AddPermission` cross-account grant exists for the function and whether it was expected (correlate with the cross-account resource-policy rule). - Review `Esql.source_ips` and recent activity from the caller account for other cross-account actions. ### False positive analysis -- Cross-account invocation is common in multi-account architectures and partner integrations. Confirm the caller account - is approved and exclude known trusted accounts or identities after validation. +- Cross-account invocation is common in multi-account architectures and partner integrations. Confirm the caller account is approved and exclude known trusted accounts or identities after validation. ### Response and remediation -- If the cross-account access is unauthorized, remove the function's cross-account resource-policy statement - (`RemovePermission`) and review what the function accessed or returned. +- If the cross-account access is unauthorized, remove the function's cross-account resource-policy statement (`RemovePermission`) and review what the function accessed or returned. - Constrain `lambda:InvokeFunction` grants to approved accounts and review the function's execution-role permissions. ### Additional information From 0b9b70a40cd64a46360e58dc82f003d52c43eeca Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:09:49 +0200 Subject: [PATCH 3/7] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../aws/execution_lambda_function_invoked_cross_account.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml index 3542d5bda90..e18801dce38 100644 --- a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml +++ b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml @@ -35,7 +35,7 @@ A Lambda function invoked by a principal from a different AWS account indicates #### Possible investigation steps - Review `Esql.caller_account` (the invoking principal's account) versus `Esql.function_account` (the invoked function's owning account) and confirm whether the caller account is a known, trusted account. -- Identify the principal in `aws.cloudtrail.user_identity.arn` and the functions invoked (`Esql.functions`). +- Identify the principal in `aws.cloudtrail.user_identity.arn` and pivot to the raw CloudTrail events (for the same principal/time window) to identify the invoked function(s) in `aws.cloudtrail.request_parameters`. - Determine whether a corresponding `AddPermission` cross-account grant exists for the function and whether it was expected (correlate with the cross-account resource-policy rule). - Review `Esql.source_ips` and recent activity from the caller account for other cross-account actions. From 7f0ed74311c25093da61ba1cdf0fa5115c24c98d Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Mon, 22 Jun 2026 09:56:17 +0200 Subject: [PATCH 4/7] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../aws/execution_lambda_function_invoked_cross_account.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml index e18801dce38..2df4169e143 100644 --- a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml +++ b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml @@ -96,7 +96,8 @@ from logs-aws.cloudtrail-* | stats Esql.invocation_count = count(*), - Esql.source_ips = values(source.ip) + Esql.source_ips = values(source.ip), + Esql.function_arns = values(aws.cloudtrail.resources.arn) by aws.cloudtrail.user_identity.arn, Esql.caller_account, @@ -106,6 +107,7 @@ from logs-aws.cloudtrail-* aws.cloudtrail.user_identity.arn, Esql.caller_account, Esql.function_account, + Esql.function_arns, Esql.invocation_count, Esql.source_ips From 1ae21d3de040a9425bb14e44f15bc12aa5fbbec8 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Mon, 22 Jun 2026 09:56:42 +0200 Subject: [PATCH 5/7] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../aws/execution_lambda_function_invoked_cross_account.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml index 2df4169e143..7821e977d9d 100644 --- a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml +++ b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml @@ -133,6 +133,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "Esql.caller_account", "Esql.function_account", + "Esql.function_arns", "Esql.invocation_count", "Esql.source_ips", ] From feefbc2a71d7890adeec17248da2106db7cea534 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Thu, 25 Jun 2026 15:57:14 +0200 Subject: [PATCH 6/7] Update rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --- .../aws/execution_lambda_function_invoked_cross_account.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml index 7821e977d9d..968fea0d3c1 100644 --- a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml +++ b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml @@ -111,7 +111,6 @@ from logs-aws.cloudtrail-* Esql.invocation_count, Esql.source_ips -| sort Esql.invocation_count desc ''' From 4a121dee21222e217060f828a8366b676779c8b5 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Thu, 25 Jun 2026 15:57:21 +0200 Subject: [PATCH 7/7] Update rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --- .../aws/execution_lambda_function_invoked_cross_account.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml index 968fea0d3c1..737e68162ef 100644 --- a/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml +++ b/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml @@ -21,7 +21,7 @@ false_positives = [ cross-account access, and exclude known trusted accounts or identities after validation. """, ] -from = "now-60m" +from = "now-61m" interval = "60m" language = "esql" license = "Elastic License v2"