Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1053: Analytic 1053

Correlate creation or modification of serverless functions (e.g., AWS Lambda, GCP Cloud Functions, Azure Functions) with anomalous IAM role assignments or permissions escalation events. Detect subsequent executions of newly created functions that perform unexpected actions such as spawning outbound network connections, accessing sensitive resources, or creating additional credentials.

EnterpriseAN1053AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because serverless functions can become a fast path from cloud configuration change to business-impacting access. A newly created or modified function with unusual IAM permissions may execute code that reaches sensitive resources, opens outbound connections, or creates more credentials. For leaders, the practical question is whether cloud teams can connect identity changes, function deployment activity, and runtime behavior quickly enough to support incident decisions.

Executive priority

Prioritize this as a cloud security and identity-governance validation item for IaaS environments using serverless services such as AWS Lambda, GCP Cloud Functions, or Azure Functions. It supports resilience and audit readiness by testing whether the organization can prove who changed a function, what role or permissions were attached, when it executed, and whether it accessed sensitive resources or created credentials. Budget and control discussions should focus on cloud logging completeness, IAM change monitoring, and cross-source correlation rather than standalone alerts.

Technical view

SOC and detection teams should validate correlation across three event groups: serverless function creation or modification, anomalous IAM role assignment or permission escalation, and subsequent execution behavior. Useful detection logic should look for newly created or changed functions followed by unexpected outbound network activity, access to sensitive resources, or creation of additional credentials. Because no ATT&CK tactic or formal detection implementation is supplied, local baselining is required to define what is anomalous for function permissions, runtime behavior, and resource access.

Likely telemetry

  • Cloud control-plane audit logs for serverless function creation and modification
  • IAM role assignment, policy change, and permission escalation events
  • Serverless function invocation and execution logs
  • Cloud network telemetry showing outbound connections from serverless workloads
  • Cloud resource access logs for sensitive data stores or services

Detection direction

  • Confirm cloud audit logging is enabled for serverless control-plane changes and IAM events across relevant accounts, projects, or subscriptions.
  • Correlate function creation/modification with nearby IAM role assignments or permission changes instead of alerting on either event alone.
  • Tune baselines for expected deployment pipelines, approved roles, normal function destinations, and routine access to sensitive resources to reduce false positives.
  • Prioritize alerts where new or modified functions execute soon after creation and then access sensitive resources, make unusual outbound connections, or create additional credentials.
  • Check blind spots around short-lived functions, incomplete cloud-region coverage, missing function runtime logs, and IAM changes performed by automation accounts.

Mitigation priorities

  • Enforce least-privilege IAM roles for serverless functions and review permissions attached during deployment.
  • Require controlled deployment paths and change accountability for serverless function creation or modification.
  • Enable and retain cloud audit, IAM, invocation, network, and resource-access logs needed for cross-source investigation.
  • Apply monitoring to credential creation and sensitive resource access by serverless identities.
  • Regularly review high-privilege serverless roles and remove unused or overly broad permissions.
Analyst notes and limits

This is a detection analytic, not a technique description. Its value is in testing whether cloud identity, deployment, and runtime telemetry can be joined into an investigation timeline. Managed detection and incident response teams should treat it as a coverage scenario for serverless abuse involving IAM change plus suspicious execution behavior.

The supplied ATT&CK object provides a description but no official detection field, tactics, relationships, aliases, or labels. It supports IaaS and mentions AWS Lambda, GCP Cloud Functions, and Azure Functions as examples, but local cloud architecture, logging configuration, and baseline behavior are required to determine actual detection quality.

Official MITRE ATT&CK definition

Analytic 1053

Correlate creation or modification of serverless functions (e.g., AWS Lambda, GCP Cloud Functions, Azure Functions) with anomalous IAM role assignments or permissions escalation events. Detect subsequent executions of newly created functions that perform unexpected actions such as spawning outbound network connections, accessing sensitive resources, or creating additional credentials.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7488c798fc936bf1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7488c798fc93…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1053
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use