Geek Answers Handbook

How do I configure the Amazon AWS Lambda feature to prevent log response in the response?

Please see the following:

http://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html

LOGTYPE

You can set this optional parameter to Tail in the request only if you specify the InvocationType parameter with the value Response to the request. In this case, AWS Lambda returns the base64 encoding of the last 4 KB of log data generated by your lambda function in the x-amz-log-result header.

Valid Values: None | Tail

So, does this mean that any user with valid credentials to call a function can also read the logs that this function emits?

If so, this is an obvious vulnerability that could give an attacker some useful information about processing invalid input.

How do I configure the Amazon AWS Lambda feature to prevent log response in the response?

Update 1

1) Regarding the comment: "If a hacker can call your lambda function, you have more problems than looking at the log files."

Not true: Lambda functions should also be called directly from client code using the SDK.

For an example, see the figure below from the book AWS Lambda in Action:

enter image description here

2) Regarding the comment: “How exactly is this vulnerability? Only someone who provided AWS IAM credentials could call the Lambda function.”

Of course, customers usually have some credentials most of the time (for example, from logging into your mobile application with their Facebook account through Amazon Cognito). Should I trust all my users?

3) Regarding the comment: "Only if you entered some protected information for registration."

Magazines may contain reasonable information. I'm not talking about secure information, such as passwords, but just about helping the debugging team of the developers or the security team find out about the attacks. Applications can log all kinds of information, including the reason for the failure of some invalid input, which can help an attacker know what a valid input is. In addition, attackers can see all the information that the security team logs about their attacks. Not good. Even confidentiality may be at risk depending on what you register.

Update 2

This will also solve my problem if I could somehow find the Tail parameter in the Lambda code. Then I just fail with the message "The tail is now allowed." Unfortunately, the Context object does not seem to contain this information.

+7
logging amazon-web-services aws-lambda
source share
3 answers

I think you cannot configure AWS Lambda to prevent the log from being disabled in the response. However, you can use your own logging component instead of using the one provided by Amazon Lambda to avoid the possibility of exposing them to the LogType parameter.

Otherwise, I see your question about complexity, but using the Gateway API is the most common solution that allows you to use Lambdas for client applications that you do not trust.

+3
source share

You are right, this is not only bad practice, but also obvious (as you already understood) security vulnerabilities.

If you look carefully in the book, you will also find this part:

enter image description here

which explains that, for greater security, client requests should go to the Amazon API gateway, which will open a clean API and that will call the corresponding lambda function without exposing it to the outside world.

An example of such an API is shown on the previous page:

enter image description here

By introducing an intermediate level between the client and the AWS lambda, we will take care of authentication, authorization, access and all other potential vulnerabilities.

+2
source share

This is a comment. Although this should be a comment, I'm sorry that I don't have enough stackoverflow reputation yet.

Before commenting on this, please note that lambda Invoke may result in more than one execution of your lambda (per AWS documentation)

Calls occur at least once in response to an event, and functions must be idempotent to handle this.

Since LogType is registered as a valid option, I don’t think you can prevent it in your backend. However, for this you need a workaround. I can think of

1- Create a tail trash log of 4KB (e.g. using console.log ()). Then the attacker will receive information about unwanted information. (incur expenses only in the case of an attacker)

2- Use the step functions. This is not only to hide the journal, but also to overcome the problem of "Invocations occur at least once" and have a predictable execution of your backend. However, this carries a cost.

+1
source share

More articles:


All Articles