Description: 

AWS Lambda is a compute service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time you consume - there is no charge when your code is not running.

Rationale: 

AWS CloudTrail records API calls used within an AWS account, including calls made from the AWS Management Console, SDKs, command-line tools, and other AWS services. If you turn on data event logging, CloudTrail will also log function invocations, so you can see which identities are invoking the functions and the frequency of their invocations.

Impact:

One of the benefits of enabling CloudTrail for your AWS Lambda serverless functions makes your work more automatic by letting you set up notifications, messages, and alerts that trigger off of configuration events in your AWS account. This means you can react to configuration errors and potential security risks as they are introduced.

Default Value:

By default, CloudTrail data events are not configured 


Pre-Requisite:

  1. Sign in as an admin or IAM user with the required permissions


Remediation:

Test Plan: 

  1. Sign in to the AWS Management Console

  2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/

  3. Go to Trails, Select the trail you want to examine

  4. Scroll down to find Data events


  5. If you do not find lambda functions are configured in data events it means lambda API operations are not being recorded by cloud trail.


Using AWS CLI:

aws cloudtrail get-event-selectors --trail-name TrailName


Implementation steps: 

  1. Sign in to the AWS Management Console

  2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/

  3. Go to Trails, Select the trail you want to modify

  4. Scroll down you find Data events, click on the edit button

  5. Click on Add data event type 

  6. Select the event type as Lambda, and the log selector template has you want 

  7. Click on the  Save changes button.


Using AWS CLI:

aws cloudtrail put-event-selectors --trail-name TrailName2 --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type": "AWS::Lambda::Function","Values": ["arn:aws:lambda"]}]'

Backout Plan:

  1.  Follow the Implementation steps till 4th step 

  2. Click remove button 


  3. click save changes


Using AWS CLI: 

aws cloudtrail delete-event-selectors --trail-name TrailName2 --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type": "AWS::Lambda::Function","Values": ["arn:aws:lambda"]}]'


Resources: 

https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html

https://docs.amazonaws.cn/en_us/lambda/latest/dg/with-cloudtrail-example.html

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html