Which solution will meet these requirements with the LEAST operational overhead?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company’s security engineer must record when specific AWS Lambda functions are invoked.The logs must include the AWS principal that invoked the function.External sources and the company’s developers deliver the Lambda function code by using a variety of languages such as Python, Node.js, and Golang.The security engineer has created an AWS CloudTrail trail with default configuration for the AWS account.

Which solution will meet these requirements with the LEAST operational overhead?

Update the Lambda function code to extract the AWS principal from the Lambda context and to write a log entry when the function to be monitored is invoked.

Use Amazon EventBridge (Amazon CloudWatch Events) to configure a rule and custom pattern for lambda:invoke events with a filter on the functions to monitor. Invoke another Lambda function to write the EventBridge (CloudWatch Events) data to Amazon CloudWatch Logs.

Modify the existing CloudTrail trail. Configure the existing CloudTrail trail to monitor Lambda functions as data events.

Create a Lambda layer that provides CloudTrail with a log event that includes the Lambda context when the function is invoked. Attach this layer to all Lambda functions that must be monitored.

Explanations:

Updating the Lambda function code to extract the AWS principal and write log entries adds operational overhead as it requires modifications to each individual function, increasing the maintenance burden. Additionally, not all functions might need this logging, leading to inconsistent logging practices.

While using Amazon EventBridge to monitorlambda:invokeevents could log the necessary information, it still requires the creation and maintenance of an additional Lambda function to write logs, which increases operational complexity. This method also involves more setup than necessary since AWS CloudTrail can natively log the invocations.

Modifying the existing CloudTrail trail to monitor Lambda functions as data events is the most efficient approach. It leverages the existing CloudTrail infrastructure to capture invocation events and automatically log them, including the AWS principal. This option has minimal operational overhead as it does not require changes to function code or additional services.

Creating a Lambda layer to provide CloudTrail with log events requires additional development and maintenance effort. Attaching this layer to all monitored functions also adds complexity. Furthermore, it does not utilize the existing capabilities of CloudTrail effectively, making it less efficient compared to option C.

2025-10-14

1 Comment

  1. Ethan
    Author

    In my opinion, the answer is:
    Modify the existing CloudTrail trail. Configure the existing CloudTrail trail to monitor Lambda functions as data events.

Leave a Reply

Your email address will not be published. Required fields are marked *

nine + 16 =