Step Functions Should Have Logging Enabled
More Info:
Ensure Step Functions Have Logging EnabledRisk Level
InformationalAddress
Security, Operational MaturityCompliance Standards
CBP,GDPR,HIPAA,ISO27001,SEBITriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using the AWS console, follow these steps:
- Login to AWS Console: Go to the AWS Management Console and login with your credentials.
- Navigate to Step Functions: In the AWS Management Console, navigate to the Step Functions service by either typing “Step Functions” in the search bar or locating it under the “Services” dropdown menu.
- Select the Step Function: Click on the Step Function that is associated with the AWS Lambda function for which you want to enable logging.
- Edit the State: In the Step Function’s graphical representation, find the state that invokes the AWS Lambda function. Click on that state to edit its configuration.
- Enable Logging: Look for an option to enable logging for the state. This option is usually found in the configuration settings of the state. Enable the logging option and configure the desired log settings such as log level, log format, and log destination.
- Save the Changes: After enabling logging and configuring the settings, save the changes to update the state configuration.
- Test the Step Function: Run a test on the Step Function to ensure that logging is now enabled for the AWS Lambda function.
Using CLI
Using CLI
To remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using AWS CLI, follow these steps:
- Open your terminal and ensure you have the AWS CLI installed and configured with the necessary permissions to make changes to Step Functions and Lambda functions.
-
Enable logging for your Step Functions by updating the state machine using the AWS CLI command
update-state-machine. ReplaceSTATE_MACHINE_ARNwith the ARN of your Step Function andLOGGING_ARNwith the ARN of the CloudWatch Logs group where you want to store the logs.
- Next, you need to update your Lambda function to ensure that it sends logs to CloudWatch Logs. Update the Lambda function configuration using the AWS CLI command
update-function-configuration. ReplaceFUNCTION_NAMEwith the name of your Lambda function.
- Verify that the logging configuration has been successfully updated for both the Step Function and the Lambda function by checking the respective configurations in the AWS Management Console or by using the AWS CLI commands
describe-state-machineandget-function-configuration.
Using Python
Using Python
To remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using Python, follow these steps:Replace
- Open the AWS Management Console and navigate to the Step Functions service.
- Click on the Step Function that needs to have logging enabled.
- Click on the “Edit” button to modify the state machine.
- In the state machine definition, add a new field called “LoggingConfiguration” with the desired logging configuration. Here is an example of how you can add logging using Python:
REGION, ACCOUNT_ID, and FUNCTION_NAME with your specific values.- Click on the “Save” button to save the changes to the state machine.
- Test the state machine to ensure that logging is now enabled for the AWS Lambda function.
LoggingConfiguration field to the state machine definition, you can remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using Python.