Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 4.2 Ensure Cloudwatch Lambda insights is enabled

Description

Ensure that Amazon CloudWatch Lambda Insights is enabled for your Amazon Lambda functions for enhanced monitoring.

Amazon CloudWatch Lambda Insights allows you to monitor, troubleshoot, and optimize your Lambda functions. The service collects system-level metrics and summarizes diagnostic information to help you identify issues with your Lambda functions and resolve them as soon as possible. CloudWatch Lambda Insights collects system-level metrics and emits a single performance log event for every invocation of that Lambda function.

Remediation

From the Console:

  1. Login to AWS Console using https://console.aws.amazon.com/lambda/.
  2. Click Functions.
  3. Click on the name of the function.
  4. Click on the Configuration tab.
  5. Click on 'Monitoring and operations tools'.
  6. In the Monitoring and operations tools section click Edit to update the monitoring configuration.
  7. In the CloudWatch Lambda Insights section click the Enhanced monitoring button to enable. Note - When you enable the feature using the AWS Management Console, Amazon Lambda adds the required permissions to your function's execution role.
  8. Click Save.
  9. Repeat steps 2-8 for each Lambda function within the current region that fails the Audit.
  10. Then repeat the Audit process for all other regions.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_4_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_4_2 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when exists (
      select 1
      from jsonb_array_elements(layers) as l
      where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%'
    ) then 'ok'
    else 'alarm'
  end as status,
  case
    when exists (
      select 1
      from jsonb_array_elements(layers) as l
      where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%'
    ) then title || ' CloudWatch Insights enabled.'
    else title || ' CloudWatch Insights disabled.'
  end as reason
  
  , region, account_id
from
  aws_lambda_function;

Tags

category = Compliance
cis = true
cis_item_id = 4.2
cis_level = 1
cis_section_id = 4
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/Lambda