CloudTrail Should Be Enabled For AWS Lambda

More Info:

CloudTrail captures API calls for AWS Lambda as events. The calls captured include calls from the AWS Lambda console and code calls to the AWS Lambda API operations.

Risk Level

Low

Address

Operational Maturity, Security

Compliance Standards

AWSWAF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of CloudTrail not being enabled for AWS Lambda in AWS using AWS CLI, follow these steps:

Open your terminal and ensure that you have AWS CLI installed and configured with your AWS account credentials.
Run the following command to enable CloudTrail for AWS Lambda:

aws lambda update-function-configuration --function-name <function-name> --tracing-config Mode=Active

Replace <function-name> with the name of the AWS Lambda function for which you want to enable CloudTrail.

Verify that CloudTrail is enabled for the Lambda function by running the following command:

aws lambda get-function-configuration --function-name <function-name>

This should return a JSON object that includes the TracingConfig key with a value of {"Mode": "Active"}.

Repeat the above steps for all other AWS Lambda functions in your account to ensure that CloudTrail is enabled for them as well.

By following these steps, you can remediate the misconfiguration of CloudTrail not being enabled for AWS Lambda in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of CloudTrail not being enabled for AWS Lambda in AWS, you can follow the below steps using Python:

Import the boto3 library to interact with AWS resources using Python.

import boto3

Create a boto3 client for AWS Lambda and CloudTrail.

lambda_client = boto3.client('lambda')
cloudtrail_client = boto3.client('cloudtrail')

Get the ARN of the existing CloudTrail trail.

trail_arn = cloudtrail_client.describe_trails()['trailList'][0]['TrailARN']

Create a new CloudTrail trail if one does not exist.

if not trail_arn:
    cloudtrail_client.create_trail(Name='MyCloudTrail')
    trail_arn = cloudtrail_client.describe_trails()['trailList'][0]['TrailARN']

Check if CloudTrail is enabled for the AWS Lambda function.

lambda_function_name = 'MyLambdaFunction'
response = lambda_client.get_function_configuration(FunctionName=lambda_function_name)

if 'CloudWatchLogsLogGroupArn' in response:
    cloud_watch_logs_arn = response['CloudWatchLogsLogGroupArn']
    if cloud_watch_logs_arn not in trail_arn:
        cloudtrail_client.update_trail(
            Name='MyCloudTrail',
            CloudWatchLogsLogGroupArn=cloud_watch_logs_arn,
            CloudWatchLogsRoleArn='arn:aws:iam::123456789012:role/MyCloudTrailRole'
        )
else:
    print(f'CloudTrail is not enabled for Lambda function {lambda_function_name}')

If CloudTrail is not enabled for the AWS Lambda function, enable it by adding the CloudWatch log group ARN to the CloudTrail trail.

lambda_function_name = 'MyLambdaFunction'
response = lambda_client.get_function_configuration(FunctionName=lambda_function_name)

if 'CloudWatchLogsLogGroupArn' in response:
    cloud_watch_logs_arn = response['CloudWatchLogsLogGroupArn']
    if cloud_watch_logs_arn not in trail_arn:
        cloudtrail_client.update_trail(
            Name='MyCloudTrail',
            CloudWatchLogsLogGroupArn=cloud_watch_logs_arn,
            CloudWatchLogsRoleArn='arn:aws:iam::123456789012:role/MyCloudTrailRole'
        )
else:
    print(f'CloudTrail is not enabled for Lambda function {lambda_function_name}')

Verify that CloudTrail is now enabled for the AWS Lambda function.

response = lambda_client.get_function_configuration(FunctionName=lambda_function_name)

if 'CloudWatchLogsLogGroupArn' in response:
    cloud_watch_logs_arn = response['CloudWatchLogsLogGroupArn']
    if cloud_watch_logs_arn in trail_arn:
        print(f'CloudTrail is enabled for Lambda function {lambda_function_name}')
else:
    print(f'CloudTrail is not enabled for Lambda function {lambda_function_name}')

These steps will enable CloudTrail for the AWS Lambda function and ensure that logs are being captured.

Additional Reading:

https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

CloudTrail Should Be Enabled For AWS Lambda

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: