Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “CloudTrail should be enabled for AWS Lambda” in AWS, follow these steps:
- Go to the AWS Management Console and log in to your account.
- Open the AWS Lambda console.
- Select the function for which you want to enable CloudTrail.
- Click on the “Configuration” tab.
- Scroll down to the “Advanced settings” section and click on “Edit”.
- In the “CloudWatch Logs” section, select “Enable CloudWatch Logs”.
- In the “CloudTrail” section, select “Enable CloudTrail logs”.
- Choose the S3 bucket where you want to store the CloudTrail logs.
- Click on “Save”.
Using CLI
Using CLI
To remediate the misconfiguration of CloudTrail not being enabled for AWS Lambda in AWS using AWS CLI, follow these steps:Replace This should return a JSON object that includes the
- Open your terminal and ensure that you have AWS CLI installed and configured with your AWS account credentials.
- Run the following command to enable CloudTrail for AWS Lambda:
<function-name> with the name of the AWS Lambda function for which you want to enable CloudTrail.- Verify that CloudTrail is enabled for the Lambda function by running the following command:
TracingConfig key with a value of {"Mode": "Active"}.- Repeat the above steps for all other AWS Lambda functions in your account to ensure that CloudTrail is enabled for them as well.
Using Python
Using Python
To remediate the misconfiguration of CloudTrail not being enabled for AWS Lambda in AWS, you can follow the below steps using Python:These steps will enable CloudTrail for the AWS Lambda function and ensure that logs are being captured.
- Import the boto3 library to interact with AWS resources using Python.
- Create a boto3 client for AWS Lambda and CloudTrail.
- Get the ARN of the existing CloudTrail trail.
- Create a new CloudTrail trail if one does not exist.
- Check if CloudTrail is enabled for the AWS Lambda function.
- If CloudTrail is not enabled for the AWS Lambda function, enable it by adding the CloudWatch log group ARN to the CloudTrail trail.
- Verify that CloudTrail is now enabled for the AWS Lambda function.