more details on Lambda

Enumeration/AWS.md

@@ -530,9 +530,10 @@ table of CIDRs or Managed Prefix Lists.
 
 An attacker may add VPC endpoints to exfiltrate data to S3 buckets under his control.
 
-List available endpoints via aws cli.
+List available vpcs, and endpoints via aws cli.
 
 ```sh
+aws ec2 describe-vpcs
 aws ec2 describe-vpc-endpoints
 ```
 
@@ -813,7 +814,14 @@ aws s3 sync --no-sign-request s3://<bucket-name> .
 
 #### Check Permissions of a bucket
 
-Use a `PUT` method to see if the bucket may be writeable to upload a file via
+Check the Policy of the bucket via aws cli.
+
+```sh
+aws s3api get-bucket-policy --bucket <bucketname> --query Policy --output text | jq .
+```
+
+Or ghetto style, use a `PUT` method to see if the bucket may be writeable to
+upload a file via
 
 ```sh
 curl -vvv -X PUT $BUCKET_URL  --data "Test of write permissions"
@@ -849,6 +857,12 @@ The ARN of a the function invoked is structured in the following way.
 arn:aws:lambda:<region>:<AccountId>:function:<functionName>
 ```
 
+List Lambda functions via aws cli.
+
+```sh
+aws lambda list-functions |  jq .
+```
+
 Execute a lambda function via aws cli.
 
 ```sh
@@ -875,9 +889,9 @@ aws lambda get-function --function-name arn:aws:lambda:<region>:<AccountId>:func
 #### Lambda Buildup
 
 The executed code is frequently stored in a zip file inside an S3 bucket. A
-file name is set so the handler can execute it. The zip file is queried through
-the API before a functions execution is triggered. The zip file contains a file
-name which is called by the handler.
+file name is set so the handler can execute it, e.g. `function.py`.
+The zip file is queried through the API before a functions execution is
+triggered. The zip file contains a file name which is called by the handler.
 
 Events can be tested through the web console.
 
@@ -903,7 +917,41 @@ usual.
 Lambda functions have 500MB of disk space inside the container's /tmp directory
 or can have an Elastic File System attached (EFS).
 
+Lambda has layers for code sharing. These layers can be found under `/opt`.
 
+Lambda functions can be queried through HTTP. The scheme of such a uniquely
+identified URL is like the following. The request has to be signed if
+authentication is required.
+
+```sh
+https://<urlId>.lambda-url.<region>.on.aws
+```
+
+#### Lambda Vulnerabilities
+
+Vulnerabilities include
+
+* Missing input validation on the event sent as user input to the Lambda function
+* Sensitive data written to stdout and stderr, which is then sent to CloudWatch
+* Permissive roles for function execution
+* Privilege escalation through access to environment variables `$AWS_ACCESS_KEY_ID`, `$AWS_SECRET_ACCESS_KEY` and `$AWS_SESSION_TOKEN` inside the Lambda container from function execution or from the webc console
+* Access to the unencrypted secrets inside environment variables through function execution inside the container
+* Use of `lambda:*` instead of `lambda:invokeFunction` as part of a resource policy
+* Use of `Principal: *` inside an IAM policy
+
+Check invocation policies of lambda functions via aws cli.
+
+```sh
+aws lambda get-policy --query Policy --output text --function-name arn:aws:lambda:<region>:<AccountId>:function:<functionName> | jq .
+```
+
+* Modifying Lambda layers through malicious code
+* Use the concurrency of Lambda functions as a DoS measurement
+* Get the function ZIP file through the URL or the following aws cli line to iinspect the code for sensitive data
+
+```sh
+aws lambda get-function --function-name arn:aws:lambda:<region>:<AccountId>:function:<functionName>
+```
 
 ### CloudFront
 
@@ -1304,7 +1352,8 @@ aws route53 list-hosted-zones
 
 A subdomain can be useful for regular users and an attacker alike.
 
-Create a file named `create_record.json` containing certificate details from the aws acm desription.
+Create a file named `create_record.json` containing certificate details from
+the aws acm desription.
 
 ```json
 {