Ensure AWS Lambda functions have tracing enabled
AWS Lambda functions should have TracingConfig enabled since it activates the AWS X-Ray service. AWS X-Ray service collects information on requests that a specific function performed. It reduces the investigation, debugging and diagnostics time and effort. The value can be either PassThrough or Active. If PassThrough, Lambda will only trace the request from an upstream service if it contains a tracing header with 'sampled=1'. If Active, Lambda will respect any tracing header it receives from an upstream service. If no tracing header is received, Lambda will call X-Ray for a tracing decision. It is recommended to use 'Active'.
Risk Level: Low
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.OPE.07
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
Lambda should not have tracingConfig.mode='PassThrough'
REMEDIATION
From Portal
- Log in to the AWS Management Console and open the Amazon Lambda console.
- Open the function you want to modify.
- Click the Configuration tab.
- Open the Monitoring and operations tools on the left side.
- Click Edit and enable Active tracing for AWS X-ray.
- Click Save.
From TF
resource "aws_lambda_function" "active" {
tracing_config {
- mode = "PassThrough"
+ mode = "Active"
}
}
From Command Line
aws lambda update-function-configuration --function-name lambda_function_name --tracing-config Mode=Active
References
- https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html
AWS Lambda
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.
With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago