[One Workflow] feat: add AWS Lambda connector for workflows (elastic#256150)

Adds a new AWS Lambda connector spec that enables workflows to invoke
Lambda functions, list available functions, and get function details.
Includes SigV4 signing adapted for POST+JSON (Lambda Invoke) alongside
GET requests, schema with labeled form fields, SVG icon, and unit tests.

Also fixes connector icon resolution in the YAML editor for
dot-separated step types (e.g. aws_lambda.invoke) by extracting the base
connector name in getBaseConnectorType.

Closes elastic/security-team#16126

```yaml
name: "Invoke tinForTheWin Lambda"
description: |
  PoC workflow that invokes the tinForTheWin AWS Lambda function.
  Demonstrates synchronous invocation with a JSON payload from workflow inputs,
  listing available functions, and getting function details.
triggers:
  - type: manual
tags:
  - aws
  - lambda
  - poc

inputs:
  type: object
  properties:
    tin:
      type: string
      default: "for-the-win"

steps:
  # -------------------------------------------------------------------------
  # Step 1: List all available Lambda functions
  # -------------------------------------------------------------------------
  - name: list_functions
    type: aws_lambda.listFunctions
    connector-id: 3bcf7284-b8ff-404f-86ab-35a5ce0172b5
    with:
      maxItems: 10

  - name: log_functions
    type: console
    with:
      message: "Available functions: {{ steps.list_functions.output.functions | map: 'functionName' | join: ', ' }}"

  # -------------------------------------------------------------------------
  # Step 2: Get details about the tinForTheWin function
  # -------------------------------------------------------------------------
  - name: get_function_details
    type: aws_lambda.getFunction
    connector-id: 3bcf7284-b8ff-404f-86ab-35a5ce0172b5
    with:
      functionName: "tinForTheWin"

  - name: log_details
    type: console
    with:
      message: "tinForTheWin — runtime: {{ steps.get_function_details.output.runtime }}, memory: {{ steps.get_function_details.output.memorySize }}MB, timeout: {{ steps.get_function_details.output.timeout }}s, state: {{ steps.get_function_details.output.state }}"

  # -------------------------------------------------------------------------
  # Step 3: Invoke the Lambda function
  # -------------------------------------------------------------------------
  - name: invoke_lambda
    type: aws_lambda.invoke
    connector-id: 3bcf7284-b8ff-404f-86ab-35a5ce0172b5
    with:
      functionName: "tinForTheWin"
      payload: "${{ inputs }}"
      invocationType: "RequestResponse"

  - name: log_result
    type: console
    with:
      message: "Lambda response: {{ steps.invoke_lambda.output.payload | json }}"
enabled: true
```

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: talboren

.github/CODEOWNERS

@@ -2461,6 +2461,7 @@ src/platform/packages/shared/kbn-connector-specs/src/specs/github/** @elastic/wo
 src/platform/packages/shared/kbn-connector-specs/src/specs/google_calendar/** @elastic/workchat-eng
 src/platform/packages/shared/kbn-connector-specs/src/specs/google_drive/** @elastic/workchat-eng
 src/platform/packages/shared/kbn-connector-specs/src/specs/greynoise/** @elastic/workflows-eng
+src/platform/packages/shared/kbn-connector-specs/src/specs/aws_lambda/** @elastic/workflows-eng
 src/platform/packages/shared/kbn-connector-specs/src/specs/jina/** @elastic/jinastic
 src/platform/packages/shared/kbn-connector-specs/src/specs/notion/** @elastic/workchat-eng
 src/platform/packages/shared/kbn-connector-specs/src/specs/pagerduty/** @elastic/response-ops

src/platform/packages/shared/kbn-connector-specs/src/all_auth_types.ts

@@ -8,6 +8,7 @@
  */
 
 export * from './auth_types/api_key_header';
+export * from './auth_types/aws_credentials';
 export * from './auth_types/bearer';
 export * from './auth_types/basic';
 export * from './auth_types/none';

src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts

@@ -10,6 +10,7 @@
 export * from './specs/abuseipdb/abuseipdb';
 export * from './specs/alienvault_otx/alienvault_otx';
 export * from './specs/atlassian/jira-cloud/jira';
+export * from './specs/aws_lambda/aws_lambda';
 export * from './specs/brave_search/brave_search';
 export * from './specs/github/github';
 export * from './specs/google_calendar/google_calendar';

src/platform/packages/shared/kbn-connector-specs/src/auth_types/aws_credentials.ts

@@ -0,0 +1,271 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { z } from '@kbn/zod/v4';
+import type { AxiosInstance, InternalAxiosRequestConfig } from 'axios';
+import type { AuthContext, AuthTypeSpec } from '../connector_spec';
+import * as i18n from './translations';
+
+// ============================================================================
+// SigV4 Signing Utilities
+// ============================================================================
+
+const EMPTY_BODY_SHA256 = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';
+
+async function sha256Hash(message: string): Promise<string> {
+  const textEncoder = new TextEncoder();
+  const data = textEncoder.encode(message);
+  const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  return hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+}
+
+async function hmacSha256(key: BufferSource, message: string): Promise<ArrayBuffer> {
+  const textEncoder = new TextEncoder();
+  const messageData = textEncoder.encode(message);
+
+  const cryptoKey = await crypto.subtle.importKey(
+    'raw',
+    key,
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+
+  return await crypto.subtle.sign('HMAC', cryptoKey, messageData);
+}
+
+async function calculateSignature(
+  secretAccessKey: string,
+  dateStamp: string,
+  region: string,
+  service: string,
+  stringToSign: string
+): Promise<string> {
+  const textEncoder = new TextEncoder();
+
+  const kDate = await hmacSha256(textEncoder.encode('AWS4' + secretAccessKey), dateStamp);
+  const kRegion = await hmacSha256(kDate, region);
+  const kService = await hmacSha256(kRegion, service);
+  const kSigning = await hmacSha256(kService, 'aws4_request');
+  const signature = await hmacSha256(kSigning, stringToSign);
+
+  const signatureArray = Array.from(new Uint8Array(signature));
+  return signatureArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+}
+
+/**
+ * Parse an AWS hostname into service and region.
+ * Supports: {service}.{region}.amazonaws.com
+ */
+function parseAwsHost(hostname: string): { service: string; region: string } | null {
+  if (!hostname.endsWith('.amazonaws.com')) {
+    return null;
+  }
+  const parts = hostname.replace('.amazonaws.com', '').split('.');
+  if (parts.length < 2) {
+    return null;
+  }
+  return { service: parts[0], region: parts[1] };
+}
+
+/**
+ * Sign an AWS request with SigV4.
+ * Automatically collects x-amz-* headers for signing (AWS requires them signed).
+ */
+async function signRequest(
+  method: string,
+  host: string,
+  path: string,
+  queryParams: Record<string, string>,
+  accessKeyId: string,
+  secretAccessKey: string,
+  region: string,
+  service: string,
+  existingHeaders: Record<string, string>,
+  body?: string
+): Promise<Record<string, string>> {
+  const algorithm = 'AWS4-HMAC-SHA256';
+  const now = new Date();
+  const dateStamp = now.toISOString().split('T')[0].replace(/-/g, '');
+  const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, '');
+
+  const sortedParams = Object.keys(queryParams).sort();
+  const canonicalQuerystring = sortedParams
+    .map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(queryParams[key])}`)
+    .join('&');
+
+  const hasBody = body !== undefined && body !== '';
+  const payloadHash = hasBody ? await sha256Hash(body) : EMPTY_BODY_SHA256;
+
+  // Build canonical headers: host + content-type (if body) + x-amz-date + any existing x-amz-* headers
+  const headersToSign: Record<string, string> = {
+    host,
+    'x-amz-date': amzDate,
+  };
+
+  if (hasBody) {
+    headersToSign['content-type'] = 'application/json';
+  }
+
+  // Include any x-amz-* headers set by the action handler (AWS requires them signed)
+  for (const [key, value] of Object.entries(existingHeaders)) {
+    const lowerKey = key.toLowerCase();
+    if (lowerKey.startsWith('x-amz-') && lowerKey !== 'x-amz-date') {
+      headersToSign[lowerKey] = value;
+    }
+  }
+
+  const sortedHeaderKeys = Object.keys(headersToSign).sort();
+  const canonicalHeaders = sortedHeaderKeys.map((k) => `${k}:${headersToSign[k]}\n`).join('');
+  const signedHeaders = sortedHeaderKeys.join(';');
+
+  const canonicalRequest = [
+    method,
+    path,
+    canonicalQuerystring,
+    canonicalHeaders,
+    signedHeaders,
+    payloadHash,
+  ].join('\n');
+
+  const canonicalRequestHash = await sha256Hash(canonicalRequest);
+  const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
+  const stringToSign = [algorithm, amzDate, credentialScope, canonicalRequestHash].join('\n');
+
+  const signature = await calculateSignature(
+    secretAccessKey,
+    dateStamp,
+    region,
+    service,
+    stringToSign
+  );
+
+  const authorizationHeader = `${algorithm} Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+
+  const result: Record<string, string> = {
+    Host: host,
+    'X-Amz-Date': amzDate,
+    Authorization: authorizationHeader,
+  };
+
+  if (hasBody) {
+    result['Content-Type'] = 'application/json';
+  }
+
+  return result;
+}
+
+// ============================================================================
+// Auth Type Definition
+// ============================================================================
+
+const authSchema = z
+  .object({
+    accessKeyId: z
+      .string()
+      .min(1, { message: i18n.AWS_ACCESS_KEY_ID_REQUIRED_MESSAGE })
+      .meta({ sensitive: true, label: i18n.AWS_ACCESS_KEY_ID_LABEL }),
+    secretAccessKey: z
+      .string()
+      .min(1, { message: i18n.AWS_SECRET_ACCESS_KEY_REQUIRED_MESSAGE })
+      .meta({ sensitive: true, label: i18n.AWS_SECRET_ACCESS_KEY_LABEL }),
+  })
+  .meta({ label: i18n.AWS_CREDENTIALS_LABEL });
+
+type AuthSchemaType = z.infer<typeof authSchema>;
+
+/**
+ * AWS Credentials Authentication (SigV4)
+ *
+ * Adds a request interceptor that automatically signs every outgoing request
+ * to *.amazonaws.com with AWS Signature V4. Non-AWS URLs pass through unsigned.
+ *
+ * Service and region are extracted from the URL hostname pattern:
+ *   {service}.{region}.amazonaws.com
+ *
+ * Use for: Lambda, S3, EC2, SES, and any other AWS service.
+ */
+export const AwsCredentialsAuth: AuthTypeSpec<AuthSchemaType> = {
+  id: 'aws_credentials',
+  schema: authSchema,
+  configure: async (
+    _: AuthContext,
+    axiosInstance: AxiosInstance,
+    secret: AuthSchemaType
+  ): Promise<AxiosInstance> => {
+    const { accessKeyId, secretAccessKey } = secret;
+
+    axiosInstance.interceptors.request.use(
+      async (config: InternalAxiosRequestConfig): Promise<InternalAxiosRequestConfig> => {
+        const requestUrl = config.url;
+        if (!requestUrl) {
+          return config;
+        }
+
+        // Resolve full URL (handles relative URLs with baseURL)
+        const fullUrl =
+          config.baseURL && !requestUrl.startsWith('http')
+            ? new URL(requestUrl, config.baseURL)
+            : new URL(requestUrl);
+
+        const awsInfo = parseAwsHost(fullUrl.hostname);
+        if (!awsInfo) {
+          return config;
+        }
+
+        const method = (config.method || 'GET').toUpperCase();
+        const path = fullUrl.pathname;
+        const queryParams: Record<string, string> = {};
+        fullUrl.searchParams.forEach((value, key) => {
+          queryParams[key] = value;
+        });
+
+        const body =
+          typeof config.data === 'string'
+            ? config.data
+            : config.data != null
+            ? JSON.stringify(config.data)
+            : undefined;
+
+        // Collect existing headers for signing
+        const existingHeaders: Record<string, string> = {};
+        if (config.headers) {
+          for (const [key, value] of Object.entries(config.headers.toJSON())) {
+            if (typeof value === 'string') {
+              existingHeaders[key] = value;
+            }
+          }
+        }
+
+        const sigV4Headers = await signRequest(
+          method,
+          fullUrl.hostname,
+          path,
+          queryParams,
+          accessKeyId,
+          secretAccessKey,
+          awsInfo.region,
+          awsInfo.service,
+          existingHeaders,
+          body
+        );
+
+        // Apply signed headers to the request
+        for (const [key, value] of Object.entries(sigV4Headers)) {
+          config.headers.set(key, value);
+        }
+
+        return config;
+      }
+    );
+
+    return axiosInstance;
+  },
+};

src/platform/packages/shared/kbn-connector-specs/src/auth_types/translations.ts

@@ -166,3 +166,35 @@ export const PFX_AUTH_VERIFICATION_MODE_LABEL = i18n.translate(
     defaultMessage: 'Verification mode',
   }
 );
+
+export const AWS_CREDENTIALS_LABEL = i18n.translate('connectorSpecs.awsCredentials.label', {
+  defaultMessage: 'AWS Credentials',
+});
+
+export const AWS_ACCESS_KEY_ID_LABEL = i18n.translate(
+  'connectorSpecs.awsCredentials.accessKeyId.label',
+  {
+    defaultMessage: 'Access Key ID',
+  }
+);
+
+export const AWS_ACCESS_KEY_ID_REQUIRED_MESSAGE = i18n.translate(
+  'connectorSpecs.awsCredentials.accessKeyId.requiredMessage',
+  {
+    defaultMessage: 'Access Key ID is required',
+  }
+);
+
+export const AWS_SECRET_ACCESS_KEY_LABEL = i18n.translate(
+  'connectorSpecs.awsCredentials.secretAccessKey.label',
+  {
+    defaultMessage: 'Secret Access Key',
+  }
+);
+
+export const AWS_SECRET_ACCESS_KEY_REQUIRED_MESSAGE = i18n.translate(
+  'connectorSpecs.awsCredentials.secretAccessKey.requiredMessage',
+  {
+    defaultMessage: 'Secret Access Key is required',
+  }
+);

src/platform/packages/shared/kbn-connector-specs/src/connector_icons_map.ts

@@ -132,4 +132,8 @@ export const ConnectorIconsMap: Map<
         import(/* webpackChunkName: "connectorIconGoogleCalendar" */ './specs/google_calendar/icon')
     ),
   ],
+  [
+    '.aws_lambda',
+    lazy(() => import(/* webpackChunkName: "connectorIconAwsLambda" */ './specs/aws_lambda/icon')),
+  ],
 ]);

src/platform/packages/shared/kbn-connector-specs/src/connector_spec.ts

@@ -106,7 +106,6 @@ export type NormalizedAuthType = AuthTypeSpec<Record<string, unknown>>;
 // ============================================================================
 // - OAuth2 (clientId, clientSecret, token refresh)
 // - SSL/mTLS (certificate-based authentication)
-// - AWS SigV4 (AWS service authentication)
 // - Custom (connector-specific auth flows)
 
 // ============================================================================