Remediating a potentially compromised Lambda function
When GuardDuty generates a Lambda Protection finding and the activity is unexpected, your Lambda function may be compromised. We recommend completing the following steps to remediate a compromised Lambda function.
To remediate Lambda Protection findings
-
Identify the potentially compromised Lambda function version.
A GuardDuty finding for Lambda Protection provides the name, Amazon Resource Name (ARN), function version, and revision ID associated with the Lambda function listed in the finding details.
-
Identify the source of the potentially suspicious activity.
-
Review the code associated with the Lambda function version involved in the finding.
-
Review the imported libraries and layers of the Lambda function version involved in the finding.
-
If you have enabled Scanning AWS Lambda functions with Amazon Inspector, review the Amazon Inspector findings associated with the Lambda function involved in the finding.
-
Review the AWS CloudTrail logs to identify the principal that caused the function update and ensure that the activity was authorized or expected.
-
-
Remediate the potentially compromised Lambda function.
-
Disable the execution triggers of the Lambda function involved in the finding. For more information, see DeleteFunctionEventInvokeConfig.
-
Review the Lambda code and update the libraries imports and Lambda function layers to remove the potentially suspicious libraries and layers.
-
Mitigate Amazon Inspector findings related to the Lambda function involved in the finding.
-