AWS-Lambda-Lambda-Log-Groups

Severity : High

Description: This control ensures that lambda function can log to CloudWatch log group. The lambda function by default have CloudWatch log group with name as /aws/lambda/<function name>. The function logs are forwarded to the log group automatically. To have those logs in the CloudWatch the function must have policies with permission AWSLambdaBasicExecutionRole to log to CloudWatch log group for the function.

Remediation Steps:

Perform following to update lambda function role policies :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to Lambda Function console.

3. In the list of lambda functions ,  select  the function reported.

4. Choose Configuration and then choose Permissions.

5. Under Resource summary, view the services and resources that the function can access.

6. Edit the lambda role to add the AWS manage policy AWSLambdaBasicExecutionRole to allow to log.

7. Save changes.

Important:

Principle of least privilege should be upheld and restrictive permissions should be assigned to the role.

Reference:

• https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html