Remediating a potentially compromised Lambda function
When GuardDuty generates Lambda Protection finding types, your Lambda function may be compromised. If the activity that caused GuardDuty to generate this finding was expected, you can consider using Suppression rules. We recommend completing the following steps to remediate a compromised Lambda function:
To remediate Lambda Protection findings
-
Identify the potentially compromised Lambda function version.
A GuardDuty finding for Lambda Protection provides the name, Amazon Resource Name (ARN), function version, and revision ID associated with the Lambda function listed in the finding details.
-
Identify the source of the potentially suspicious activity.
-
Review the code associated with the Lambda function version involved in the finding.
-
Review the imported libraries and layers of the Lambda function version involved in the finding.
-
If you have enabled Scanning AWS Lambda functions with Amazon Inspector, review the Amazon Inspector findings associated with the Lambda function involved in the finding.
-
Review the AWS CloudTrail logs to identify the principal that caused the function update and ensure that the activity was authorized or expected.
-
-
Remediate the potentially compromised Lambda function.
-
Disable the execution triggers of the Lambda function involved in the finding. For more information, see DeleteFunctionEventInvokeConfig.
-
Review the Lambda code and update the libraries imports and Lambda function layers to remove the potentially suspicious libraries and layers.
-
Mitigate Amazon Inspector findings related to the Lambda function involved in the finding.
-