AWS S3 job with unexpected Lambda function
Description
AlphaSOC detected the creation of an AWS S3 Batch Operations job configured to invoke a Lambda function against S3 objects. While this is a supported AWS feature for batch data processing, an attacker with access to S3 and Lambda may use this mechanism to execute arbitrary code at scale against stored objects, potentially to exfiltrate, modify, or destroy data in bulk using serverless compute.
Impact
S3 batch jobs invoking Lambda can process large numbers of objects automatically, enabling an attacker to run malicious code against every object in a bucket. This could be used to encrypt objects for ransomware, exfiltrate sensitive data by forwarding content to external endpoints, or inject malicious payloads into stored files. The serverless nature of Lambda makes such execution difficult to attribute and can result in rapid, large-scale impact.
Severity
| Severity | Condition |
|---|---|
Medium | S3 batch job invoking an unexpected or suspicious Lambda |
Investigation and Remediation
Review the S3 Batch Operations job to identify the Lambda function being invoked and the IAM principal that created the job. Inspect the Lambda function code and execution role for malicious logic. Check Lambda invocation logs for evidence of data exfiltration or modification. Cancel the job if unauthorized. Audit IAM permissions for S3 batch operations and Lambda invocation, and restrict least-privilege access to authorized principals only.