AWS Lambda
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS Lambda

      Lambda Missing Log Groups

      This plugin ensures that each Lambda function is associated with a valid log group.

      Risk Level: Medium

      Description:

      This plugin ensures that each Lambda function is associated with a valid log group. A CloudWatch log group should be created automatically for each Lambda function to manage its log streams.

      About the Service:

      AWS Lambda is a serverless compute service that allows you to run code without having to provision or manage servers, create workload-aware cluster scaling logic, keep event integrations up to date, or manage runtimes. You can use Lambda to run code for almost any form of application or backend service, and you don't have to worry about managing it. Simply upload your code as a ZIP file or container image, and Lambda will automatically and precisely assign compute execution power and run your code in response to incoming requests or events, at any scale.

      Impact :

      The absence of log groups hinders the monitoring of the activities hence making it difficult to keep security in check and keep the functionalities of the function intact.

      Steps to reproduce :

      1. Sign in to your AWS console.
      2. Navigate to the CloudWatch dashboard at: https://us-east-2.console.aws.amazon.com/cloudwatch/
      3. In the left navigation panel that appears under the heading CloudWatch, select Logs, and under it select Log groups.


      4. From all the log groups that appear , check whether the  log group for your required Lambda function appears , it shall follow the format like
        • /aws/lambda/' + lambdaFunc.FunctionName  OR
        • /aws/lambda/' + region + '.' + lambdaFunc.FunctionName

       

      Steps for remediation :

      Update the Lambda function permissions to allow CloudWatch logging. 

      1. Sign in to your AWS console.
      2. Navigate to the CloudWatch dashboard at: https://us-east-2.console.aws.amazon.com/cloudwatch/
      3. In the left navigation panel that appears under the heading CloudWatch, select Logs, and under it select Log groups.
      4. From all the log groups that appear , check whether the  log group for your required Lambda function appears , it shall follow the format like
        • /aws/lambda/' + lambdaFunc.FunctionName  OR
        • /aws/lambda/' + region + '.' + lambdaFunc.FunctionName
      5. If not , then select create log group on the top right in the log group panel .
             
      6. Fill in the required log group details and click create.
      7. The log group will be associated with the chosen lambda function.

      References: