Profile Applicability:

Level 1

Description:

CloudWatch Lambda Insights provides detailed monitoring and troubleshooting for AWS Lambda functions. By enabling Lambda Insights, you can gain insights into the performance of your Lambda functions, track metrics like invocation counts, duration, error rates, and troubleshoot performance issues through detailed logs and visualizations.

Rationale:

Enabling CloudWatch Lambda Insights helps you monitor Lambda function performance in real-time, identify bottlenecks, and resolve issues that could affect the efficiency of your serverless applications. Lambda Insights provides valuable operational insights, making it easier to track key performance metrics and troubleshoot errors. This is essential for ensuring the reliability and scalability of Lambda functions in production environments.

Impact:

Pros:

  • Detailed Monitoring: Provides detailed metrics and logs to help diagnose and resolve performance issues.

  • Improved Troubleshooting: Helps identify and fix issues with Lambda execution, such as cold starts or long execution times.

  • Cost Optimization: By identifying inefficient functions or resource-intensive operations, Lambda Insights can help optimize costs.

  • Compliance and Auditing: Allows continuous monitoring of Lambda functions, ensuring they are performing as expected and compliant with security standards.

Cons:

  • Overhead: Enabling Lambda Insights might introduce slight overhead in Lambda performance due to the additional monitoring.

  • Cost: While CloudWatch Lambda Insights provides valuable metrics, there may be additional costs associated with storing and processing logs and metrics.

Default Value:

By default, CloudWatch Lambda Insights is not enabled. You must manually enable it to begin capturing and analyzing Lambda metrics and logs.

Pre-requisites:

  • IAM permissions to enable CloudWatch Lambda Insights and configure Lambda functions.

  • Access to AWS Lambda and CloudWatch services.

  • Lambda functions deployed that need to be monitored by CloudWatch Lambda Insights.

Remediation:

Test Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to AWS Lambda and select the Lambda function that you want to enable Lambda Insights for.

  3. In the Configuration tab, scroll down to the Monitoring and Operations tools section.

  4. Select Enable Lambda Insights.

  5. Choose an existing CloudWatch Log Group or create a new one to store the Lambda Insights logs.

  6. Save the changes.

  7. After enabling, verify that Lambda Insights metrics and logs are being captured by navigating to CloudWatch and checking for logs and metrics under the Lambda Insights section.

Using AWS CLI:

  1. First, verify the existing Lambda function configurations: 

    aws lambda get-function-configuration --function-name <function-name>

  2. To enable CloudWatch Lambda Insights, update the Lambda function configuration: 

    aws lambda update-function-configuration --function-name <function-name> --enable-insights --log-group-name <log-group-name>

  3. Verify that Lambda Insights is enabled by checking the function configuration:

     aws lambda get-function-configuration --function-name <function-name>

  4. After enabling Lambda Insights, confirm that logs and metrics are being sent to CloudWatch: 

    aws logs describe-log-groups --log-group-name-prefix "/aws/lambda"

Implementation Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to AWS Lambda and select the Lambda function you want to monitor.

  3. Under the Configuration tab, scroll to the Monitoring and Operations tools section.

  4. Click Enable Lambda Insights and choose a Log Group.

  5. Save the changes and verify that CloudWatch Lambda Insights is recording metrics and logs for the selected function.

  6. You can check the CloudWatch Console to see Lambda Insights metrics and logs for the function.

Using AWS CLI:

  1. To enable Lambda Insights for a Lambda function, run the following command: 

    aws lambda update-function-configuration --function-name <function-name> --enable-insights --log-group-name <log-group-name>

  2. Confirm that Lambda Insights is enabled by checking the function configuration: 

    aws lambda get-function-configuration --function-name <function-name>

  3. Verify that logs and metrics are being sent to CloudWatch: 

    aws logs describe-log-groups --log-group-name-prefix "/aws/lambda"

Backout Plan:

Using the AWS Console:

  1. If Lambda Insights causes issues, go to AWS Lambda and select the Lambda function.

  2. Under the Configuration tab, uncheck Enable Lambda Insights.

  3. Save the changes and verify that Lambda Insights is no longer enabled.

  4. Check that logs and metrics are no longer being sent to CloudWatch for Lambda Insights.

Using AWS CLI:

  1. To disable Lambda Insights for a Lambda function, run the following command: 

    aws lambda update-function-configuration --function-name <function-name> --no-enable-insights

  2. Confirm that Lambda Insights is no longer enabled by checking the function configuration: 

    aws lambda get-function-configuration --function-name <function-name>

  3. Verify that logs and metrics are no longer being sent to CloudWatch for Lambda Insights.

References:

CIS Controls:

Version

Control ID

Control Description

v8

12.2

Enable CloudWatch Lambda Insights to capture Lambda function performance metrics and logs for better monitoring and troubleshooting.

v7

12.3

Enable CloudWatch Lambda Insights for capturing detailed logs and performance metrics for serverless applications.