AWS Lambda Function Code and Configuration
Cloud & SaaSCloud InfrastructureAWSAWS LambdaServerlessCloud Control Plane
Location
Lambda function code (downloadable via `get-function`), function configuration (environment variables, layers, execution role, triggers)Description
The deployed function package (code and any layers) plus all configuration: environment variables, attached IAM execution role, event source mappings, reserved concurrency, VPC attachment. Represents what actually ran, separate from what was intended to run.
Forensic Value
Attackers frequently modify Lambda code (UpdateFunctionCode) or environment (UpdateFunctionConfiguration) as a persistence mechanism. Downloading the current deployed package and diffing against the expected CI/CD build identifies malicious drift. Environment variables often carry secrets worth rotating.
Tools Required
AWS CLIskopeo (for container Lambdas)diff
Collection Commands
AWS CLI
aws lambda get-function --function-name <function> > function_meta.json; curl -o function_code.zip "$(jq -r .Code.Location function_meta.json)"
AWS CLI (layers)
aws lambda list-layer-versions --layer-name <layer> > layers.json
AWS CLI (event sources)
aws lambda list-event-source-mappings --function-name <function> > event_sources.json
Collection Constraints
- •Download URL from GetFunction is time-limited; fetch immediately after the call
- •Container-image Lambdas require ECR access, not the zip download path
MITRE ATT&CK Techniques
T1648T1098.003T1546