Open menu
-->

Tracing Enabled

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Operational
excellence

Risk level: Medium (should be achieved)

Ensure that tracing is enabled for your AWS Lambda functions in order to gain visibility into the functions execution and performance. With the tracing feature enabled, Amazon activates Lambda support for AWS X-Ray, a service that collects data about requests that your functions perform, that provides tools you can use to view, filter and gain insights into the collected data to identify issues and opportunities for optimization.

AWS X-Ray can provide tracing and monitoring capabilities for your Lambda functions. With tracing mode enabled, you can save time and effort debugging and operating your functions as the X-Ray service support allows you to rapidly diagnose errors, identify bottlenecks, slowdowns and timeouts by breaking down the latency for your Lambda functions.

Audit

To determine if tracing is enabled for your AWS Lambda functions, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access its configuration page.

05 Select the Configuration tab to open the settings panel for the selected function.

06 Click Advanced settings to open the panel with the advanced settings available for the function.

07 Verify Enable active tracking setting status. If the setting checkbox is not active, i.e.

If the setting checkbox is not active

the tracing feature is not currently enabled, therefore the AWS X-Ray support for the selected Lambda function is not enabled.

08 Repeat steps no. 4 - 7 to verify the active tracing feature status for other Amazon Lambda functions available within the current region.

09 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available within the selected region:

aws lambda list-functions
	--region us-east-1
	--query 'Functions[*].FunctionName'

02 The command output should return an array with the requested function names:

[
    "FetchS3ObjectMetadata",
    "MySQSPoller",
    "BackupEBSProdVolume"
]

03 Run get-function-configuration command (OSX/Linux/UNIX) using the Lambda function name returned at the previous step and custom query filters to expose the tracing feature status (mode) for the selected function:

aws lambda get-function-configuration
	--region us-east-1
	--function-name FetchS3ObjectMetadata
	--query 'TracingConfig.Mode'

04 The command output should return the requested details (i.e. tracing feature mode which can be either PassThrough or Active):

"PassThrough"

If the value returned by the get-function-configuration command output is "PassThrough" (as shown in the example above), the tracing mode for the selected Lambda function is not currently enabled, therefore the AWS X-Ray integration for AWS Lambda is not enabled.

05 Repeat step no. 3 and 4 to determine the tracing feature mode (status) for other Amazon Lambda functions available within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable active tracing for your Amazon Lambda functions and make use of AWS X-Ray integration, perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to reconfigure (see Audit section part I to identify the right Lambda resource), then click on the function name.

05 Select the Configuration tab to open the settings panel for the selected function.

06 Click Advanced settings to open the panel with the advanced settings.

07 Check Enable active tracking setting checkbox to enable the tracing feature (i.e. activate AWS X-Ray integration) for the selected Lambda function. Once the function is triggered, traces will begin to be generated and captured, allowing you to identify and address errors and exceptions, performance bottlenecks and throttling.

08 Click the Save button from the dashboard top menu to apply the configuration changes for your function. When the function configuration is saved with the active tracing feature enabled, Lambda will automatically add the following permissions: "xray:PutTraceSegments", "xray:PutTelemetryRecords" to the function's current role if this does not have the necessary permissions.

09 Repeat steps no. 4 – 8 to enable active tracing for other AWS Lambda functions available within the current region.

10 Change the AWS region from the navigation bar and repeat the remediation/resolution process for other regions.

Using AWS CLI

01 Run get-function-configuration command (OSX/Linux/UNIX) using the name of the Lambda function that you want to reconfigure (see Audit section part II to identify the right resource) and custom query filters to get the ARN of the IAM service role attached to the selected Lambda function:

aws lambda get-function-configuration
	--region us-east-1
	--function-name FetchS3ObjectMetadata
	--query 'Role'

02 The command output should return the requested ARN:

"arn:aws:iam::123456789012:role/service-role/LambdaS3Role"

03 Run attach-role-policy command (OSX/Linux/UNIX) to attach the following managed policy: AWSXrayWriteOnlyAccess to the IAM role assigned to the selected Lambda function, identified by the ARN returned at the previous step. AWSXrayWriteOnlyAccess access policy gives the Amazon X-Ray service permission to upload trace data (the command does not produce an output):

aws iam attach-role-policy
	--policy-arn arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
	--role-name LambdaS3Role

04 Now run update-function-configuration command (OSX/Linux/UNIX) using the name of the function that you want to reconfigure (see Audit section part II to identify the right Lambda resource) to enable the tracing feature (i.e. activate AWS X-Ray integration) for the selected Lambda function. The following command example reconfigures a Lambda function named FetchS3ObjectMetadata by enabling active tracing:

aws lambda update-function-configuration
	--region us-east-1
	--function-name FetchS3ObjectMetadata
	--tracing-config '{"Mode": "Active"}'

05 The command output should return the configuration details (metadata) for the reconfigured AWS Lambda function:

{
    "TracingConfig": {
        "Mode": "Active"
    },
    "CodeSha256": "duNDvGGa3toc6Y4/hWIuhs7fshAzF5KJxUdzTzzuc9st1=",
    "FunctionName": "FetchS3ObjectMetadata",
    "CodeSize": 615,
    "MemorySize": 128,
    "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:FetchS3ObjectMetadata",
    "Version": "$LATEST",
    "Role": "arn:aws:iam::123456789012:role/service-role/LambdaS3Role",
    "Timeout": 3,
    "LastModified": "2017-07-17T11:37:16.395+0000",
    "Handler": "index.handler",
    "Runtime": "nodejs6.10",
    "Description": "An S3 trigger that retrieves metadata for S3 objects."
}

06 Repeat steps no. 1 – 5 to enable active tracing for other Amazon Lambda functions available within the current region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 6 to perform the process for other regions.

References

Publication date Jun 12, 2017