added details on Lambda functions

Enumeration/AWS.md

@@ -931,26 +931,91 @@ https://<urlId>.lambda-url.<region>.on.aws
 
 Vulnerabilities include
 
-* Missing input validation on the event sent as user input to the Lambda function
+* Missing input validation and sanitizaiton on the event sent as user input to the Lambda function
 * Sensitive data written to stdout and stderr, which is then sent to CloudWatch
+* Lambda in a VPC
 * Permissive roles for function execution
+
+Examples of exciting permissions are ReadAccess in general or the following roles.
+
+```
+AmazonS3FullAccess
+AWSLambda_FullAccess
+```
+
 * Privilege escalation through access to environment variables `$AWS_ACCESS_KEY_ID`, `$AWS_SECRET_ACCESS_KEY` and `$AWS_SESSION_TOKEN` inside the Lambda container from function execution or from the webc console
+
+Use the found environment variables to get find the AccountId via aws cli.
+
+```sh
+export AWS_SESSION_TOKEN=<Found-AWS_SESSION_TOKEN>
+export AWS_SECRET_ACCESS_KEY=<Found-AWS_SECRET_ACCESS_KEY>
+export AWS_ACCESS_KEY_ID=<Found-AWS_ACCESS_KEY_ID>
+
+aws sts get-caller-identity
+```
+
 * Access to the unencrypted secrets inside environment variables through function execution inside the container
 * Use of `lambda:*` instead of `lambda:invokeFunction` as part of a resource policy
 * Use of `Principal: *` inside an IAM policy
 
-Check invocation policies of lambda functions via aws cli.
+List functions and check invocation policies of lambda functions via aws cli.
 
 ```sh
+aws lambda get-function --function-name arn:aws:lambda:<region>:<AccountId>:function:<functionName>
 aws lambda get-policy --query Policy --output text --function-name arn:aws:lambda:<region>:<AccountId>:function:<functionName> | jq .
 ```
 
+Check policies of the found functions of the Lambda functions via aws cli.
+
+```sh
+func="<function1> <function2> <function3>"
+
+for fn in $func; do
+  role=$(aws lambda get-function --function-name <functionName> --query Configuration.Role --output text | aws -F\/ '{print $NF}'
+  echo "$fn has $role with following policies"
+  aws iam list-attached-role-policies --role-name $role
+  for policy in $(aws iam list-role-policies --role-name $role --query PolicyNames --output text); do
+    echo "$role for $fn has policy $policy"
+    aws iam get-role-policy --role-name $role --policy-name $policy
+  done
+done
+```
+
 * Modifying Lambda layers through malicious code
 * Use the concurrency of Lambda functions as a DoS measurement
-* Get the function ZIP file through the URL or the following aws cli line to iinspect the code for sensitive data
+
+##### Invoke Modified Functions
+
+Get the function ZIP file through the URL or the following aws cli line to inspect the code for sensitive data
 
 ```sh
-aws lambda get-function --function-name arn:aws:lambda:<region>:<AccountId>:function:<functionName>
+func="<function1> <function2> <function3>"
+
+for fn in $func; do
+  url=$(aws lambda get-functions --function-name $fn --query Code.Location --output text)
+  curl -s -o $fn.zip $url
+  mkdir -p $fn
+  unzip $fn.zip -d $fn
+done
+```
+
+Invoke a function with a predefined event, after getting intel from the zip, stored in `event.json` via aws cli.
+
+```sh
+aws lambda invoke --function-name <functionName> --payload fileb://event.json out.json
+```
+
+Update a function through modified source code in a ZIP file via aws cli.
+
+```sh
+aws lambda update-function-code --region <region> --function-name <functionName> --zip-file fileb://modified.zip
+```
+
+Create a payload `next_event.json` and invoke the function via aws cli.
+
+```sh
+aws lambda invoke --function-name <functionName> --payload fileb://next_event.json out.json
 ```
 
 ### CloudFront
@@ -1393,3 +1458,12 @@ aws route53 get-change --id <ChangeInfo/Id>
 Describe the certificate to see the details via aws cli, like mentioned in the
 ACM chapter above.
 
+### API Gateway
+
+An HTTP API consists of the following parts.
+
+* HTTP Request Body
+* HTTP Response
+* Specific HTTP headers
+* HTTP Method
+* Endpoint the request is queried