Profile Applicability:

  • Level 1

Description:

This control ensures that all AWS Lambda function invocation API operations are recorded and monitored through AWS CloudTrail. CloudTrail provides visibility into actions taken by users, roles, and AWS services, including when and how Lambda functions are invoked. Recording these events allows organizations to audit access, detect anomalies, and investigate unauthorized or unexpected Lambda activity. 

Rationale:

Monitoring Lambda function invocations via CloudTrail helps maintain accountability and traceability across your serverless environment. Without proper logging, unauthorized executions, privilege misuse, or compromised function calls may go unnoticed. Enabling CloudTrail ensures compliance with CIS, SOC 2, ISO 27001, and NIST 800-53 standards by providing detailed audit logs for every Lambda API invocation such as InvokeFunction, InvokeAsync, and related activities. 

Impact:

  • Positive Impact: Improves visibility into Lambda function activity, enabling incident investigation, compliance audits, and detection of suspicious function calls.

  • Negative Impact: Minor increase in CloudTrail storage and processing costs, depending on the volume of Lambda invocations. 

Default Value:

By default, CloudTrail does not log events unless trails are created and configured to capture management and data events for Lambda. 

Pre-Requisite:

  • IAM permissions required: cloudtrail:DescribeTrails, cloudtrail:UpdateTrail, lambda:ListFunctions.
  • A CloudTrail trail must exist and be configured to record management and data events.

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudTrail → Trails.

  3. Select the active trail used for organization-wide logging.

  4. Under Event type, verify that both Management events and Data events are enabled.

  5. In the Data events section, confirm that AWS Lambda is listed as a data source with the following checked:

    • Read events

    • Write events

  6. If Lambda function invocations are not being recorded, the environment is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudTrail → Trails.

  3. Select the desired trail and choose Edit.

  4. Under Data events, click Add data event source.

  5. Choose AWS Lambda function as the data source.

  6. Select All current and future Lambda functions in this region to ensure complete coverage.

  7. Enable both Read and Write event types.

  8. Click Save changes to apply the configuration.

  9. Verify that Lambda invocation events (such as InvokeFunction and InvokeAsync) appear in CloudTrail logs under the Event History tab.

Backout Plan:

Using AWS Console:

  1. If CloudTrail logging results in unexpected cost or performance overhead, limit logging to specific Lambda functions instead of all functions.
  2. Re-enable full logging once monitoring and cost controls are in place.

References: