AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Step Functions Should Have Logging Enabled
More Info:
Ensure Step Functions Have Logging Enabled
Risk Level
Informational
Address
Security, Operational Maturity
Compliance Standards
CBP,GDPR,HIPAA,ISO27001,SEBI
Triage and Remediation
Remediation
To remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using the AWS console, follow these steps:
-
Login to AWS Console: Go to the AWS Management Console and login with your credentials.
-
Navigate to Step Functions: In the AWS Management Console, navigate to the Step Functions service by either typing “Step Functions” in the search bar or locating it under the “Services” dropdown menu.
-
Select the Step Function: Click on the Step Function that is associated with the AWS Lambda function for which you want to enable logging.
-
Edit the State: In the Step Function’s graphical representation, find the state that invokes the AWS Lambda function. Click on that state to edit its configuration.
-
Enable Logging: Look for an option to enable logging for the state. This option is usually found in the configuration settings of the state. Enable the logging option and configure the desired log settings such as log level, log format, and log destination.
-
Save the Changes: After enabling logging and configuring the settings, save the changes to update the state configuration.
-
Test the Step Function: Run a test on the Step Function to ensure that logging is now enabled for the AWS Lambda function.
By following these steps, you will successfully remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using the AWS console.
To remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using AWS CLI, follow these steps:
-
Open your terminal and ensure you have the AWS CLI installed and configured with the necessary permissions to make changes to Step Functions and Lambda functions.
-
Enable logging for your Step Functions by updating the state machine using the AWS CLI command
update-state-machine. ReplaceSTATE_MACHINE_ARNwith the ARN of your Step Function andLOGGING_ARNwith the ARN of the CloudWatch Logs group where you want to store the logs.
aws stepfunctions update-state-machine --state-machine-arn STATE_MACHINE_ARN --logging-configuration "{ 'level': 'ALL', 'includeExecutionData': true, 'destinations': [{ 'cloudWatchLogsLogGroup': { 'logGroupArn': 'LOGGING_ARN' } }]}"
- Next, you need to update your Lambda function to ensure that it sends logs to CloudWatch Logs. Update the Lambda function configuration using the AWS CLI command
update-function-configuration. ReplaceFUNCTION_NAMEwith the name of your Lambda function.
aws lambda update-function-configuration --function-name FUNCTION_NAME --cli-connect-timeout 60 --cli-read-timeout 60 --logging-config "{ 'logGroupName': 'LOGGING_ARN', 'logType': 'Tail' }"
- Verify that the logging configuration has been successfully updated for both the Step Function and the Lambda function by checking the respective configurations in the AWS Management Console or by using the AWS CLI commands
describe-state-machineandget-function-configuration.
By following these steps, you can remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using AWS CLI.
To remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using Python, follow these steps:
- Open the AWS Management Console and navigate to the Step Functions service.
- Click on the Step Function that needs to have logging enabled.
- Click on the “Edit” button to modify the state machine.
- In the state machine definition, add a new field called “LoggingConfiguration” with the desired logging configuration. Here is an example of how you can add logging using Python:
{
"Comment": "A simple AWS Step Functions state machine that logs execution history",
"StartAt": "HelloWorld",
"States": {
"HelloWorld": {
"Type": "Task",
"Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME",
"End": true
}
},
"LoggingConfiguration": {
"Level": "ALL"
}
}
Replace REGION, ACCOUNT_ID, and FUNCTION_NAME with your specific values.
- Click on the “Save” button to save the changes to the state machine.
- Test the state machine to ensure that logging is now enabled for the AWS Lambda function.
By following these steps and adding the LoggingConfiguration field to the state machine definition, you can remediate the misconfiguration of Step Functions not having logging enabled for AWS Lambda using Python.