Description:

AWS Lambda: AWS Lambda is a serverless computing technology that allows you to run code without provisioning or managing servers. AWS Lambda executes code only when needed and scales automatically.

CloudTrail: AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. 


Rationale:

CloudTrail captures API calls for Lambda as events. The calls captured include calls from the Lambda console and code calls to the Lambda API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon Simple Storage Service (Amazon S3) bucket, including events for Lambda.


Impact:

Using the information collected by CloudTrail, you can determine the API that was made to Lambda, the IP address from which the request was made, who made the request, when it was made, and additional details. 


Default:

CloudTrail is not created by default for Lambda functions. 

Pre-Requisite:

Lambda function

Remediation:

Test plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/home/.

  2. In the navigation pane, choose Event history

    A filtered list of events appears in the content pane with the latest event first. Scroll down to see more events. 

  3. Click on Trails.

  4. Check any Trail is created for Lambda functions. 

Using AWS CLI

  1. Using the below command, we can get the list of trails in cloud trail.


aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

  2. Using the below command, we can get the events attached to the trail .

aws cloudtrail get-event-selectors
  --region us-east-1
  --trail-name <trail-name> 
  --query 'EventSelectors[*].DataResources[{"Type": "AWS::Lambda::Function"]'

Implementation Plan:

  • AWS Console Process

  • Creating new trail

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. On the CloudTrail service home page, the Trails page, or the Trails section of the Dashboard page, choose Create trail.

  3. On the Create Trail page, for Trail name, type a name for your trail.
  4.  For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies. 
  5. For Log file SSE-KMS encryption, choose Enabled if you want to encrypt your log files with SSE-KMS instead of SSE-S3. The default is Enabled 
  6. For Data events, you can specify logging data events for Amazon S3 buckets, AWS Lambda functions, Amazon DynamoDB tables, or a combination of these resource types. By default, trails don't log data events. Additional charges apply for logging data events.  
  7. For Lambda functions:

    1. For Data event source, choose Lambda.

    2. In Lambda function, choose All regions to log all Lambda functions, or Input function as ARN to log data events on a specific function.

      To log data events for all Lambda functions in your AWS account, select Log all current and future functions. This setting takes precedence over individual settings you configure for individual functions. All functions are logged, even if all functions are not displayed. 

  8. When you are finished choosing event types to log, choose Next.
  9. On the Review and create page, review your choices. Choose Edit in a section to change the trail settings shown in that section. When you are ready to create the trail, choose Create trail.


Update a trail

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. In the navigation pane, choose Trails, and then choose a trail name.

  3. In General details, choose Edit to change the settings. 

  4. In Data events, choose Edit to change data event logging settings.
  5. To add another data type on which to log data events, choose Add data event type.
  6. For Lambda functions:

    1. For Data event source, choose Lambda.

    2. In Lambda function, choose All regions to log all Lambda functions, or Input function as ARN to log data events on a specific function.

      To log data events for all Lambda functions in your AWS account, select Log all current and future functions.

  7. Scroll down, choose Update trail.


Using AWS CLI

 The following create-trail command creates a multi-region trail named Trail1 and specifies an S3 bucket:

aws cloudtrail create-trail --name Trail1 
--s3-bucket-name my-bucket 
--is-multi-region-trail

The following example creates an event selector for a trail named ''Trail1'' to include data events for a single AWS Lambda function named ''hello-world-python-function'': 

aws cloudtrail put-event-selectors 
--trail-name Trail1 
--event-selectors '["DataResources": [{"Type": "AWS::Lambda::Function","Values": ["arn:aws:lambda:us-west-2:999999999999:function:hello-world-python-function"]}]]'

Backout Plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Open the Trails page of the CloudTrail console.

  3. Choose the trail name.

  4. At the top of the trail details page, choose Delete.


  5. When you are prompted to confirm, choose Delete to delete the trail permanently. The trail is removed from the list of trails. Log files that were already delivered to the Amazon S3 bucket are not deleted.


Using AWS CLI

The following delete-trail command deletes a trail named Trail1:

aws cloudtrail delete-trail --name Trail1

Reference: