Enable Enhanced Monitoring for Lambda Functions

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that enhanced monitoring with Amazon CloudWatch Lambda Insights is enabled for your Lambda functions in order to help you to monitor, troubleshoot, and optimize your functions.

This rule can help you work with the AWS Well-Architected Framework

Security

CloudWatch Lambda Insights is a monitoring and troubleshooting service for serverless applications running on Amazon Lambda. The service collects, aggregates, and summarizes system-level metrics including CPU, memory, disk, and network usage. CloudWatch Lambda Insights also collects, aggregates, and summarizes diagnostic information such as cold starts and Lambda worker shutdowns to help you identify issues with your Lambda functions and resolve them as soon as possible. You can enable enhanced monitoring by adding the Amazon CloudWatch Lambda Insights extension as a layer to your Lambda functions. A function layer is a .zip file archive that contains libraries or other dependencies. With layers, you can use libraries in your Lambda function without needing to include them in your deployment package. Once the CloudWatch Lambda Insights extension is enabled for a Lambda function, it collects system-level metrics and emits a single performance log event for every invocation of that function.


Audit

To determine if your Amazon Lambda functions are configured to use enhanced monitoring, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to examine.

05 Select the Configuration tab to access the panel with the configuration information available for the selected Lambda resource.

06 In the Monitoring tools section, check the Enhanced monitoring status. If the configuration status is set to Not enabled, the Amazon Lambda Enhanced Monitoring feature is not enabled for the selected function.

07 Repeat steps no. 4 – 6 to determine if other Amazon Lambda functions, available in the current AWS region, are using enhanced monitoring.

08 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available within the selected AWS region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

---------------------
|   ListFunctions   |
+-------------------+
|  cc-sqs-poller    |
|  cc-rds-exporter  |
+-------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter, to describe the Amazon Resource Name (ARN) of each layer created for the selected function. A function layer is a .zip file archive that contains libraries or dependencies:

aws lambda get-function
  --region us-east-1
  --function-name cc-sqs-poller
  --query 'Configuration.Layers[*].Arn'

04 The command output should return the requested ARN(s). If get-function command output returns null instead of one or more ARNs, there are no layers created for the selected function:

[
    "arn:aws:lambda:us-east-1:123456789012:layer:cc-app-module-layer"
]

To enable enhanced monitoring for a Lambda function, Amazon Lambda needs to add the CloudWatch Lambda Insights extension as a layer to the function. If get-function command output returns one or more ARNs, as shown in the example above, but the ARNs list does not contain the CloudWatch Lambda Insights extension ARN, i.e. "arn:aws:lambda:<aws-region>:580247275435:layer:LambdaInsightsExtension:<version> ", the Amazon Lambda Enhanced Monitoring feature is not enabled for the selected function.

05 Repeat step no. 3 and 4 to determine if other Amazon Lambda functions, deployed in the selected AWS region, are using enhanced monitoring.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable enhanced monitoring for existing Amazon Lambda functions, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to reconfigure.

05 Select the Configuration tab to access the panel with the configuration information available for the selected Lambda resource.

06 In the Monitoring tools section, choose Edit to change the monitoring configuration for the selected function.

07 In the CloudWatch Lambda Insights section, toggle the Enhanced monitoring button to enable the Amazon Lambda Enhanced Monitoring feature for the selected function. Choose Save to apply the changes.

08 Repeat steps no. 4 – 7 to enable enhanced monitoring for other Amazon Lambda functions available within the current region.

09 Change the AWS region from the navigation bar and repeat the remediation process for the other regions.

Using AWS CLI

01 Run get-function command (OSX/Linux/UNIX) to retrieve the ARN of the execution role associated with the Amazon Lambda function that you want to reconfigure:

aws lambda get-function
  --region us-east-1
  --function-name cc-sqs-poller
  --query 'Configuration.Role'

02 The command output should return the requested IAM role ARN:

"arn:aws:iam::123456789012:role/service-role/cc-sqs-poller-role-abcdabcd"

03 Run attach-role-policy command (OSX/Linux/UNIX) to attach the "CloudWatchLambdaInsightsExecutionRolePolicy" managed IAM policy to the function's execution role, returned at the previous step (the command does not produce an output):

aws iam attach-role-policy
  --role-name cc-sqs-poller-role-abcdabcd
  --policy-arn "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"

04 Run update-function-configuration command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to reconfigure as identifier parameter, to install the CloudWatch Lambda Insights extension. Replace the ARN value for the --layers command parameter with the ARN matching your AWS region and the extension version that you want to use (ideally, the latest version available). Once the extension is installed, the Amazon Lambda Enhanced Monitoring feature is automatically enabled for the selected function:

aws lambda update-function-configuration
  --region us-east-1
  --function-name cc-sqs-poller
  --layers "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:12"

05 The command output should return the metadata available for the reconfigured function:

{
    "FunctionName": "cc-sqs-poller",
    "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-sqs-poller",
    "Runtime": "python3.7",
    "Role": "arn:aws:iam::123456789012:role/service-role/cc-sqs-poller-role-abcdabcd",
    "Handler": "lambda_function.lambda_handler",
    "CodeSize": 550,
    "Timeout": 45,
    "MemorySize": 1024,
    "LastModified": "2021-01-12T10:00:00.000+0000",
    "Version": "$LATEST",
    "VpcConfig": {
        "SubnetIds": [
            "subnet-abcd1234",
            "subnet-1234abcd"
        ],
        "SecurityGroupIds": [
            "sg-01234abcd1234abcd"
        ],
        "VpcId": "vpc-abcdabcd"
    },
    "TracingConfig": {
        "Mode": "PassThrough"
    },
    "RevisionId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "Layers": [
        {
            "Arn": "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:12",
            "CodeSize": 4351068
        }
    ],
    "State": "Active",
    "LastUpdateStatus": "Successful",
    "PackageType": "Zip"
}

06 Repeat steps no. 1 – 5 to enable enhanced monitoring for other Amazon Lambda functions deployed in the selected region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the remediation/resolution process for other regions.

References

Publication date Jan 14, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Enhanced Monitoring for Lambda Functions

Risk level: Medium