lambda:UpdateFunctionCode Privilege Escalation

lambda:UpdateFunctionCode lets a principal overwrite the code of an existing Lambda function. If that function already runs as a more privileged execution role, the attacker replaces the code with their own and inherits the role’s permissions the next time it runs — no PassRole required.

Permissions an attacker needs

• lambda:UpdateFunctionCode
• a trigger or lambda:InvokeFunction to run it

How the escalation works

• The attacker lists functions and finds one whose execution role is more privileged than they are.
• They call UpdateFunctionCode to replace that function’s deployment package with their own code.
• When the function next runs (an existing trigger, or a direct invoke), their code executes with the privileged execution role’s permissions.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "lambda:UpdateFunctionCode",
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws lambda update-function-code \
  --function-name privileged-fn \
  --zip-file fileb://malicious.zip
aws lambda invoke --function-name privileged-fn out.json

How to detect and prevent it

• Scope lambda:UpdateFunctionCode to specific function ARNs the principal owns, never Resource "*".
• Least-privilege every Lambda execution role so a hijacked function cannot reach sensitive resources.
• Alert on UpdateFunctionCode in CloudTrail, especially on functions with broad execution roles.

FAQ

Related escalation methods

• iam:PassRole + Lambda Privilege Escalation
• iam:AttachUserPolicy Privilege Escalation

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.