HackTricks-wiki · carlospolop · Apr 3, 2025 · Mar 31, 2025
diff --git a/...cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md b/...cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
@@ -10,6 +10,12 @@ For more information check:
 ../../aws-services/aws-lambda-enum.md
 {{#endref}}
 
+### Exfilrtate Lambda Credentials
+
+Lambda uses environment variables to inject credentials at runtime. If you can get access to them (by reading `/proc/self/environ` or using the vulnerable function itself), you can use them yourself. They live in the default variable names `AWS_SESSION_TOKEN`, `AWS_SECRET_ACCESS_KEY`, and `AWS_ACCESS_KEY_ID`. 
+
+By default, these will have access to write to a cloudwatch log group (the name of which is stored in `AWS_LAMBDA_LOG_GROUP_NAME`), as well as to create arbitrary log groups, however lambda functions frequently have more permissions assigned based on their intended use.
+
 ### Steal Others Lambda URL Requests
 
 If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them.