AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudTrail Should Be Enabled For AWS Lambda
More Info:
CloudTrail captures API calls for AWS Lambda as events. The calls captured include calls from the AWS Lambda console and code calls to the AWS Lambda API operations.
Risk Level
Low
Address
Operational Maturity, Security
Compliance Standards
AWSWAF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “CloudTrail should be enabled for AWS Lambda” in AWS, follow these steps:
- Go to the AWS Management Console and log in to your account.
- Open the AWS Lambda console.
- Select the function for which you want to enable CloudTrail.
- Click on the “Configuration” tab.
- Scroll down to the “Advanced settings” section and click on “Edit”.
- In the “CloudWatch Logs” section, select “Enable CloudWatch Logs”.
- In the “CloudTrail” section, select “Enable CloudTrail logs”.
- Choose the S3 bucket where you want to store the CloudTrail logs.
- Click on “Save”.
Once you complete these steps, CloudTrail will be enabled for AWS Lambda and the logs will be saved to the specified S3 bucket. This will help you to monitor and audit the actions performed on your AWS Lambda functions, which is important for security and compliance purposes.
To remediate the misconfiguration of CloudTrail not being enabled for AWS Lambda in AWS using AWS CLI, follow these steps:
-
Open your terminal and ensure that you have AWS CLI installed and configured with your AWS account credentials.
-
Run the following command to enable CloudTrail for AWS Lambda:
aws lambda update-function-configuration --function-name <function-name> --tracing-config Mode=Active
Replace <function-name> with the name of the AWS Lambda function for which you want to enable CloudTrail.
- Verify that CloudTrail is enabled for the Lambda function by running the following command:
aws lambda get-function-configuration --function-name <function-name>
This should return a JSON object that includes the TracingConfig key with a value of {"Mode": "Active"}.
- Repeat the above steps for all other AWS Lambda functions in your account to ensure that CloudTrail is enabled for them as well.
By following these steps, you can remediate the misconfiguration of CloudTrail not being enabled for AWS Lambda in AWS using AWS CLI.
To remediate the misconfiguration of CloudTrail not being enabled for AWS Lambda in AWS, you can follow the below steps using Python:
- Import the boto3 library to interact with AWS resources using Python.
import boto3
- Create a boto3 client for AWS Lambda and CloudTrail.
lambda_client = boto3.client('lambda')
cloudtrail_client = boto3.client('cloudtrail')
- Get the ARN of the existing CloudTrail trail.
trail_arn = cloudtrail_client.describe_trails()['trailList'][0]['TrailARN']
- Create a new CloudTrail trail if one does not exist.
if not trail_arn:
cloudtrail_client.create_trail(Name='MyCloudTrail')
trail_arn = cloudtrail_client.describe_trails()['trailList'][0]['TrailARN']
- Check if CloudTrail is enabled for the AWS Lambda function.
lambda_function_name = 'MyLambdaFunction'
response = lambda_client.get_function_configuration(FunctionName=lambda_function_name)
if 'CloudWatchLogsLogGroupArn' in response:
cloud_watch_logs_arn = response['CloudWatchLogsLogGroupArn']
if cloud_watch_logs_arn not in trail_arn:
cloudtrail_client.update_trail(
Name='MyCloudTrail',
CloudWatchLogsLogGroupArn=cloud_watch_logs_arn,
CloudWatchLogsRoleArn='arn:aws:iam::123456789012:role/MyCloudTrailRole'
)
else:
print(f'CloudTrail is not enabled for Lambda function {lambda_function_name}')
- If CloudTrail is not enabled for the AWS Lambda function, enable it by adding the CloudWatch log group ARN to the CloudTrail trail.
lambda_function_name = 'MyLambdaFunction'
response = lambda_client.get_function_configuration(FunctionName=lambda_function_name)
if 'CloudWatchLogsLogGroupArn' in response:
cloud_watch_logs_arn = response['CloudWatchLogsLogGroupArn']
if cloud_watch_logs_arn not in trail_arn:
cloudtrail_client.update_trail(
Name='MyCloudTrail',
CloudWatchLogsLogGroupArn=cloud_watch_logs_arn,
CloudWatchLogsRoleArn='arn:aws:iam::123456789012:role/MyCloudTrailRole'
)
else:
print(f'CloudTrail is not enabled for Lambda function {lambda_function_name}')
- Verify that CloudTrail is now enabled for the AWS Lambda function.
response = lambda_client.get_function_configuration(FunctionName=lambda_function_name)
if 'CloudWatchLogsLogGroupArn' in response:
cloud_watch_logs_arn = response['CloudWatchLogsLogGroupArn']
if cloud_watch_logs_arn in trail_arn:
print(f'CloudTrail is enabled for Lambda function {lambda_function_name}')
else:
print(f'CloudTrail is not enabled for Lambda function {lambda_function_name}')
These steps will enable CloudTrail for the AWS Lambda function and ensure that logs are being captured.