Description: 

AWS Lambda is a compute service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time you consume - there is no charge when your code is not running.


Rationale: 

Whenever CloudTrail writes logs to your S3 bucket, Amazon S3 can then invoke your Lambda function by passing the Amazon S3 object-created event as a parameter. The S3 event provides information, including the bucket name and key name of the log object that CloudTrail created. Your Lambda function code can read the log object and process the access records logged by CloudTrail.


Remediation:

Configure Amazon S3 to publish events to AWS Lambda when AWS CloudTrail stores API call logs. Your Lambda function can read the log object and process the access records logged by CloudTrail. 

  • A CloudTrail trail and an S3 bucket to save logs to.
  • An Amazon SNS topic to publish alert notifications.
  • An IAM user role with permissions to read items from an S3 bucket and write logs to Amazon CloudWatch.
  • A Lambda function that processes CloudTrail logs and sends a notification whenever an Amazon SNS topic is created.


Triggering a Lambda Function with AWS CloudTrail Events

Step 1: Creating a Trail in CloudTrail

Step 2: Creating an Amazon SNS Topic

Step 3: Creating an IAM Execution Role

Step 4: Creating the Lambda Function

Step 5: Adding Permissions to the Lambda Function Policy

Step 6: Configuring Notifications on an Amazon S3 Bucket


Receiving CloudTrail Log Files from Multiple Regions 

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
  2. Choose Trails, and then choose a trail name.
  3. Click the pencil icon next to Apply trail to all regions, and then choose Yes.
  4. Choose Save. The original trail is now replicated across all regions. CloudTrail delivers log files from all regions to the specified S3 bucket.

Note: When a new region launches in the aws partition, CloudTrail automatically creates a trail for you in the new region with the same settings as your original trail.


Resources: 

https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html

https://docs.amazonaws.cn/en_us/lambda/latest/dg/with-cloudtrail-example.html

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html