Remediating a potentially compromised Lambda function - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Remediating a potentially compromised Lambda function

When GuardDuty generates a Lambda Protection finding and the activity is unexpected, your Lambda function may be compromised. We recommend completing the following steps to remediate a compromised Lambda function.

To remediate Lambda Protection findings

  1. Identify the potentially compromised Lambda function version.

    A GuardDuty finding for Lambda Protection provides the name, Amazon Resource Name (ARN), function version, and revision ID associated with the Lambda function listed in the finding details.

  2. Identify the source of the potentially suspicious activity.

    1. Review the code associated with the Lambda function version involved in the finding.

    2. Review the imported libraries and layers of the Lambda function version involved in the finding.

    3. If you have enabled Scanning Amazon Lambda functions with Amazon Inspector, review the Amazon Inspector findings associated with the Lambda function involved in the finding.

    4. Review the Amazon CloudTrail logs to identify the principal that caused the function update and ensure that the activity was authorized or expected.

  3. Remediate the potentially compromised Lambda function.

    1. Disable the execution triggers of the Lambda function involved in the finding. For more information, see DeleteFunctionEventInvokeConfig.

    2. Review the Lambda code and update the libraries imports and Lambda function layers to remove the potentially suspicious libraries and layers.

    3. Mitigate Amazon Inspector findings related to the Lambda function involved in the finding.