AWS Lambda#

Version: 1.0.1 · Category: AWS Cloud Security · Plan: Base+

A comprehensive Lambda security integration covering function inventory, public access detection, trigger and event source mapping analysis, execution role auditing, and log forensics.

Tools#

`list_functions` — Function list#

List all Lambda functions in the account, including:

Function name, runtime, and ARN
Memory and timeout configuration
Last modified time
Attached execution role ARN

`get_function_details` — Function details#

Retrieve the full configuration for a specific function:

Runtime version and environment variables
VPC configuration (VPC ID, subnets, security groups)
Execution role and permission summary
Resource-based policy (who can invoke this function externally)
Layers and concurrency settings

`check_public_functions` — Public function detection#

Detect Lambda functions with resource-based policies that allow invocation from any principal (*). These functions are callable by anyone.

`list_event_source_mappings` — Event source mapping list#

List all Lambda event source triggers: SQS, Kinesis, DynamoDB Streams, Kafka, etc.

Returns:

Event source ARN
Batch size
Trigger status (Enabled / Disabled)
Filter conditions

`analyze_triggers` — Trigger analysis#

Analyze all triggers for a specified function, including:

Resource-based policy (API Gateway, S3, SNS, EventBridge, Cognito, etc.)
Event source mappings (SQS, Kinesis, DynamoDB Streams, etc.)
Trigger type categorization

`check_function_permissions` — Permission analysis#

Retrieve the full resource-based policy for a function and analyze each statement's permission scope:

Principal: * = publicly accessible
Cross-account principals
Service-authorized invocations

`get_function_logs` — Log forensics#

Retrieve recent logs for a specified function (from CloudWatch Logs):

Parameter	Default	Description
`function_name`	Required	Lambda function name
`hours`	1	Lookback window (hours)
`limit`	100	Maximum number of log entries

`check_execution_roles` — Execution role auditing#

Audit the execution role configuration for all Lambda functions:

Identify functions using AWSLambdaFullAccess or similarly over-privileged managed policies
Flag functions sharing the same execution role
Identify execution roles with cross-service high-risk permissions

Configuration#

Item	Description
`AWS_ACCESS_KEY_ID`	Access Key ID
`AWS_SECRET_ACCESS_KEY`	Secret Access Key
`AWS_DEFAULT_REGION`	Default region (e.g. `us-east-1`)
`AWS_SESSION_TOKEN`	Optional: temporary session token

Investigation workflow#

1. check_public_functions
   → Detect all publicly invocable Lambda functions

2. list_functions
   → Inventory all functions: runtime, role, last modified time

3. get_function_details function_name:"<target function>"
   → Get full configuration for a specific function

4. analyze_triggers function_name:"<target function>"
   → Understand which events or services can trigger this function

5. check_execution_roles
   → Identify over-privileged execution roles (e.g. with AWSLambdaFullAccess)

6. get_function_logs function_name:"<target function>" hours:24
   → Retrieve recent logs for anomaly and error investigation

AWS Lambda#

Tools#

list_functions — Function list#

get_function_details — Function details#

check_public_functions — Public function detection#

list_event_source_mappings — Event source mapping list#

analyze_triggers — Trigger analysis#

check_function_permissions — Permission analysis#

get_function_logs — Log forensics#

check_execution_roles — Execution role auditing#