More Info:

Ensure Step Functions Have Logging Enabled

Risk Level

Informational

Address

Security, Operational Maturity

Compliance Standards

CBP,GDPR,HIPAA,ISO27001,SEBI

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using the AWS console, follow these steps:
  1. Login to AWS Console: Go to the AWS Management Console and login with your credentials.
  2. Navigate to Step Functions: In the AWS Management Console, navigate to the Step Functions service by either typing “Step Functions” in the search bar or locating it under the “Services” dropdown menu.
  3. Select the Step Function: Click on the Step Function that is associated with the AWS Lambda function for which you want to enable logging.
  4. Edit the State: In the Step Function’s graphical representation, find the state that invokes the AWS Lambda function. Click on that state to edit its configuration.
  5. Enable Logging: Look for an option to enable logging for the state. This option is usually found in the configuration settings of the state. Enable the logging option and configure the desired log settings such as log level, log format, and log destination.
  6. Save the Changes: After enabling logging and configuring the settings, save the changes to update the state configuration.
  7. Test the Step Function: Run a test on the Step Function to ensure that logging is now enabled for the AWS Lambda function.
By following these steps, you will successfully remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using the AWS console.

To remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using AWS CLI, follow these steps:
  1. Open your terminal and ensure you have the AWS CLI installed and configured with the necessary permissions to make changes to Step Functions and Lambda functions.
  2. Enable logging for your Step Functions by updating the state machine using the AWS CLI command update-state-machine. Replace STATE_MACHINE_ARN with the ARN of your Step Function and LOGGING_ARN with the ARN of the CloudWatch Logs group where you want to store the logs.
aws stepfunctions update-state-machine --state-machine-arn STATE_MACHINE_ARN --logging-configuration "{ 'level': 'ALL', 'includeExecutionData': true, 'destinations': [{ 'cloudWatchLogsLogGroup': { 'logGroupArn': 'LOGGING_ARN' } }]}"
  1. Next, you need to update your Lambda function to ensure that it sends logs to CloudWatch Logs. Update the Lambda function configuration using the AWS CLI command update-function-configuration. Replace FUNCTION_NAME with the name of your Lambda function.
aws lambda update-function-configuration --function-name FUNCTION_NAME --cli-connect-timeout 60 --cli-read-timeout 60 --logging-config "{ 'logGroupName': 'LOGGING_ARN', 'logType': 'Tail' }"
  1. Verify that the logging configuration has been successfully updated for both the Step Function and the Lambda function by checking the respective configurations in the AWS Management Console or by using the AWS CLI commands describe-state-machine and get-function-configuration.
By following these steps, you can remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using AWS CLI.
To remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using Python, follow these steps:
  1. Open the AWS Management Console and navigate to the Step Functions service.
  2. Click on the Step Function that needs to have logging enabled.
  3. Click on the “Edit” button to modify the state machine.
  4. In the state machine definition, add a new field called “LoggingConfiguration” with the desired logging configuration. Here is an example of how you can add logging using Python:
{
  "Comment": "A simple AWS Step Functions state machine that logs execution history",
  "StartAt": "HelloWorld",
  "States": {
    "HelloWorld": {
      "Type": "Task",
      "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME",
      "End": true
    }
  },
  "LoggingConfiguration": {
      "Level": "ALL"
  }
}
Replace REGION, ACCOUNT_ID, and FUNCTION_NAME with your specific values.
  1. Click on the “Save” button to save the changes to the state machine.
  2. Test the state machine to ensure that logging is now enabled for the AWS Lambda function.
By following these steps and adding the LoggingConfiguration field to the state machine definition, you can remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using Python.