Enable Enhanced Monitoring for Lambda Functions

Risk Level: Medium (should be achieved)

Ensure that enhanced monitoring with Amazon CloudWatch Lambda Insights is enabled for your Amazon Lambda functions in order to help you to monitor, troubleshoot, and optimize your functions.

This rule can help you work with the AWS Well-Architected Framework.

Security

Amazon CloudWatch Lambda Insights is a monitoring and troubleshooting service for serverless applications running on Amazon Lambda. The service collects, aggregates, and summarizes system-level metrics including CPU, memory, disk, and network usage. CloudWatch Lambda Insights also collects, aggregates, and summarizes diagnostic information such as cold starts and Lambda worker shutdowns to help you identify issues with your Lambda functions and resolve them as soon as possible. You can enable enhanced monitoring by adding the extension as a layer to your Lambda functions. A function layer is a .zip file archive that contains libraries or other dependencies. With layers, you can use libraries in your Lambda function without needing to include them in your deployment package. Once the CloudWatch Lambda Insights extension is enabled for a Lambda function, it collects system-level metrics and emits a single performance log event for every invocation of that function.

Audit

To determine if your Amazon Lambda functions are configured to use enhanced monitoring, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to examine.

05 Select the Configuration tab and choose Monitoring and operations tools from the left menu.

06 In the Monitoring and operations tools section, check the Enhanced monitoring status. If the feature status is set to Not enabled, the Enhanced Monitoring feature is not enabled for the selected Amazon Lambda function.

07 Repeat steps no. 4 – 6 for each Lambda function available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

---------------------
|   ListFunctions   |
+-------------------+
|   cc-sqs-poller   |
|   cc-s3-logging   |
|   s3-get-object   |
+-------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter, to describe the Amazon Resource Name (ARN) of each layer created for the selected function. A function layer is a .zip file archive that contains libraries or dependencies:

aws lambda get-function
  --region us-east-1
  --function-name cc-sqs-poller
  --query 'Configuration.Layers[*].Arn'

04 The command output should return the requested ARN(s). If the get-function command output returns null, there are no layers created for the selected function, therefore the Audit process ends here. If the command output returns one or more ARN(s), as shown in the example below, the selected function has one or more layers:

[
    "arn:aws:lambda:us-east-1:123456789012:layer:cc-app-module-layer"
]

To enable enhanced monitoring for a Lambda function, Amazon Lambda needs to add the CloudWatch Lambda Insights extension as a layer to the function. If the get-function command output returns one or more ARNs but the list of ARNs does not contain the CloudWatch Lambda Insights extension ARN, i.e. "arn:aws:lambda:<aws-region>:580247275435:layer:LambdaInsightsExtension:<version>", the Enhanced Monitoring feature is not enabled for the selected Amazon Lambda function.

05 Repeat step no. 3 and 4 for each Lambda function available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To enable enhanced monitoring for existing Amazon Lambda functions, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to reconfigure.

05 Select the Configuration tab and choose Monitoring and operations tools from the left menu.

06 In the Monitoring and operations tools section, choose Edit to change the monitoring configuration for the selected function.

07 In the CloudWatch Lambda Insights section, toggle the Enhanced monitoring button to enable the Enhanced Monitoring feature for the selected Amazon Lambda function. When you enable the feature using the AWS Management Console, Amazon Lambda adds the required permissions to your function's execution role. Choose Save to apply the changes.

08 Repeat steps no. 4 – 7 to enable enhanced monitoring for each Amazon Lambda function available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

01 Run get-function command (OSX/Linux/UNIX) to obtain the ARN of the execution role associated with the Amazon Lambda function that you want to reconfigure:

aws lambda get-function
  --region us-east-1
  --function-name cc-sqs-poller
  --query 'Configuration.Role'

02 The command output should return the requested role ARN:

"arn:aws:iam::123456789012:role/service-role/cc-sqs-poller-role-abcdabcd"

03 Run attach-role-policy command (OSX/Linux/UNIX) to attach the "CloudWatchLambdaInsightsExecutionRolePolicy" managed IAM policy to the function's execution role, returned at the previous step (the command does not produce an output):

aws iam attach-role-policy
  --role-name cc-sqs-poller-role-abcdabcd
  --policy-arn "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"

04 Run update-function-configuration command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to reconfigure as the identifier parameter, to install the CloudWatch Lambda Insights extension. Replace the ARN value for the --layers parameter with the ARN matching your AWS region and the extension version that you want to use (ideally, the latest version available). Once the CloudWatch Lambda Insights extension is installed, the Enhanced Monitoring feature is automatically enabled for the selected Lambda function:

aws lambda update-function-configuration
  --region us-east-1
  --function-name cc-sqs-poller
  --layers "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:14"

05 The command output should return the metadata available for the reconfigured function:

{
  "FunctionName": "cc-sqs-poller",
  "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-sqs-poller",
  "Runtime": "python3.7",
  "Role": "arn:aws:iam::123456789012:role/service-role/cc-sqs-poller-role-abcdabcd",
  "Handler": "lambda_function.lambda_handler",
  "CodeSize": 550,
  "Timeout": 45,
  "MemorySize": 1024,
  "LastModified": "2021-08-30T10:00:00.000+0000",
  "Version": "$LATEST",
  "VpcConfig": {
    "SubnetIds": [
      "subnet-abcd1234",
      "subnet-1234abcd"
    ],
    "SecurityGroupIds": [
      "sg-01234abcd1234abcd"
    ],
    "VpcId": "vpc-abcdabcd"
  },
  "TracingConfig": {
    "Mode": "PassThrough"
  },
  "RevisionId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
  "Layers": [
    {
      "Arn": "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:12",
      "CodeSize": 4351068
    }
  ],
  "State": "Active",
  "LastUpdateStatus": "Successful",
  "PackageType": "Zip"
}

06 Repeat steps no. 1 – 5 to enable enhanced monitoring for each Amazon Lambda function available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
lambda
list-functions
get-function
update-function-configuration
iam
attach-role-policy

Publication date Jan 14, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Enhanced Monitoring for Lambda Functions

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Lambda rules