Lambda data events in CloudTrail Lambda management events in CloudTrail Using CloudTrail to troubleshoot disabled Lambda event sources Lambda event examples

Logging Amazon Lambda API calls using Amazon CloudTrail

Amazon Lambda is integrated with Amazon CloudTrail, a service that provides a record of actions taken by a user, role, or an Amazon Web Service. CloudTrail captures API calls for Lambda as events. The calls captured include calls from the Lambda console and code calls to the Lambda API operations. Using the information collected by CloudTrail, you can determine the request that was made to Lambda, the IP address from which the request was made, when it was made, and additional details.

Every event or log entry contains information about who generated the request. The identity information helps you determine the following:

Whether the request was made with root user or user credentials.
Whether the request was made on behalf of an IAM Identity Center user.
Whether the request was made with temporary security credentials for a role or federated user.
Whether the request was made by another Amazon Web Service.

CloudTrail is active in your Amazon Web Services account when you create the account and you automatically have access to the CloudTrail Event history. The CloudTrail Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of recorded management events in an Amazon Web Services Region. For more information, see Working with CloudTrail Event history in the Amazon CloudTrail User Guide. There are no CloudTrail charges for viewing the Event history.

For an ongoing record of events in your Amazon Web Services account past 90 days, create a trail or a CloudTrail Lake event data store.

CloudTrail trails

A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. All trails created using the Amazon Web Services Management Console are multi-Region. You can create a single-Region or a multi-Region trail by using the Amazon CLI. Creating a multi-Region trail is recommended because you capture activity in all Amazon Web Services Regions in your account. If you create a single-Region trail, you can view only the events logged in the trail's Amazon Web Services Region. For more information about trails, see Creating a trail for your Amazon Web Services account and Creating a trail for an organization in the Amazon CloudTrail User Guide.

You can deliver one copy of your ongoing management events to your Amazon S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information about CloudTrail pricing, see Amazon CloudTrail Pricing. For information about Amazon S3 pricing, see Amazon S3 Pricing.

CloudTrail Lake event data stores

CloudTrail Lake lets you run SQL-based queries on your events. CloudTrail Lake converts existing events in row-based JSON format to Apache ORC format. ORC is a columnar storage format that is optimized for fast retrieval of data. Events are aggregated into event data stores, which are immutable collections of events based on criteria that you select by applying advanced event selectors. The selectors that you apply to an event data store control which events persist and are available for you to query. For more information about CloudTrail Lake, see Working with Amazon CloudTrail Lake in the Amazon CloudTrail User Guide.

CloudTrail Lake event data stores and queries incur costs. When you create an event data store, you choose the pricing option you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. For more information about CloudTrail pricing, see Amazon CloudTrail Pricing.

Lambda data events in CloudTrail

Data events provide information about the resource operations performed on or in a resource (for example, reading or writing to an Amazon S3 object). These are also known as data plane operations. Data events are often high-volume activities. By default, CloudTrail doesn’t log most data events, and the CloudTrail Event history doesn't record them.

One CloudTrail data event that is logged by default for supported services is LambdaESMDisabled. To learn more about using this event to help troubleshoot issues with Lambda event source mappings, see Using CloudTrail to troubleshoot disabled Lambda event sources.

Additional charges apply for data events. For more information about CloudTrail pricing, see Amazon CloudTrail Pricing.

You can log data events for the AWS::Lambda::Function resource type by using the CloudTrail console, Amazon CLI, or CloudTrail API operations. For more information about how to log data events, see Logging data events with the Amazon Web Services Management Console and Logging data events with the Amazon Command Line Interface in the Amazon CloudTrail User Guide.

The following table lists the Lambda resource type for which you can log data events. The Data event type (console) column shows the value to choose from the Data event type list on the CloudTrail console. The resources.type value column shows the resources.type value, which you would specify when configuring advanced event selectors using the Amazon CLI or CloudTrail APIs. The Data APIs logged to CloudTrail column shows the API calls logged to CloudTrail for the resource type.

Data event type (console)	resources.type value	Data APIs logged to CloudTrail
Lambda	`AWS::Lambda::Function`	Invoke

You can configure advanced event selectors to filter on the eventName, readOnly, and resources.ARN fields to log only those events that are important to you. The following example is the JSON view of a data event configuration that logs events for a specific function only. For more information about these fields, see AdvancedFieldSelector in the Amazon CloudTrail API Reference.


[
  {
    "name": "function-invokes",
    "fieldSelectors": [
      {
        "field": "eventCategory",
        "equals": [
          "Data"
        ]
      },
      {
        "field": "resources.type",
        "equals": [
          "AWS::Lambda::Function"
        ]
      },
      {
        "field": "resources.ARN",
        "equals": [
          "arn:aws:lambda:us-east-1:111122223333:function:hello-world"
        ]
      }
    ]
  }
]

Lambda management events in CloudTrail

Management events provide information about management operations that are performed on resources in your Amazon Web Services account. These are also known as control plane operations. By default, CloudTrail logs management events.

Lambda supports logging the following actions as management events in CloudTrail log files.

Note

In the CloudTrail log file, the eventName might include date and version information, but it is still referring to the same public API action. For example the, GetFunction action appears as GetFunction20150331v2. The following list specifies when the event name differs from the API action name.

AddLayerVersionPermission
AddPermission (event name: AddPermission20150331v2)
CreateAlias (event name: CreateAlias20150331)
CreateEventSourceMapping (event name: CreateEventSourceMapping20150331)
CreateFunction (event name: CreateFunction20150331)

(The Environment and ZipFile parameters are omitted from the CloudTrail logs for CreateFunction.)
CreateFunctionUrlConfig
DeleteAlias (event name: DeleteAlias20150331)
DeleteCodeSigningConfig
DeleteEventSourceMapping (event name: DeleteEventSourceMapping20150331)
DeleteFunction (event name: DeleteFunction20150331)
DeleteFunctionConcurrency (event name: DeleteFunctionConcurrency20171031)
DeleteFunctionUrlConfig
DeleteProvisionedConcurrencyConfig
GetAlias (event name: GetAlias20150331)
GetEventSourceMapping
GetFunction
GetFunctionUrlConfig
GetFunctionConfiguration
GetLayerVersionPolicy
GetPolicy
ListEventSourceMappings
ListFunctions
ListFunctionUrlConfigs
PublishLayerVersion (event name: PublishLayerVersion20181031)

(The ZipFile parameter is omitted from the CloudTrail logs for PublishLayerVersion.)
PublishVersion (event name: PublishVersion20150331)
PutFunctionConcurrency (event name: PutFunctionConcurrency20171031)
PutFunctionCodeSigningConfig
PutFunctionEventInvokeConfig
PutProvisionedConcurrencyConfig
PutRuntimeManagementConfig
RemovePermission (event name: RemovePermission20150331v2)
TagResource (event name: TagResource20170331v2)
UntagResource (event name: UntagResource20170331v2)
UpdateAlias (event name: UpdateAlias20150331)
UpdateCodeSigningConfig
UpdateEventSourceMapping (event name: UpdateEventSourceMapping20150331)
UpdateFunctionCode (event name: UpdateFunctionCode20150331v2)

(The ZipFile parameter is omitted from the CloudTrail logs for UpdateFunctionCode.)
UpdateFunctionConfiguration (event name: UpdateFunctionConfiguration20150331v2)

(The Environment parameter is omitted from the CloudTrail logs for UpdateFunctionConfiguration.)
UpdateFunctionEventInvokeConfig
UpdateFunctionUrlConfig

Using CloudTrail to troubleshoot disabled Lambda event sources

When you change the state of an event source mapping using the UpdateEventSourceMapping API action, the API call is logged as a management event in CloudTrail. Event source mappings can can also transition directly to the Disabled state due to errors.

For the following services, Lambda publishes the LambdaESMDisabled data event to CloudTrail when your event source transitions to the Disabled state:

Amazon Simple Queue Service (Amazon SQS)
Amazon DynamoDB
Amazon Kinesis

Lambda doesn't support this event for any other event source mapping types.

To receive alerts when event source mappings for supported services transition to the Disabled state, set up an alarm in Amazon CloudWatch using the LambdaESMDisabled CloudTrail event. To learn more about setting up a CloudWatch alarm, see Creating CloudWatch alarms for CloudTrail events: examples.

The serviceEventDetails entity in the LambdaESMDisabled event message contains one of the following error codes.

RESOURCE_NOT_FOUND: The resource specified in the request does not exist.
FUNCTION_NOT_FOUND: The function attached to the event source does not exist.
REGION_NAME_NOT_VALID: A Region name provided to the event source or function is invalid.
AUTHORIZATION_ERROR: Permissions have not been set, or are misconfigured.
FUNCTION_IN_FAILED_STATE: The function code does not compile, has encountered an unrecoverable exception, or a bad deployment has occurred.

Lambda event examples

An event represents a single request from any source and includes information about the requested API operation, the date and time of the operation, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.

The following example shows CloudTrail log entries for the GetFunction and DeleteFunction actions.

Note

The eventName might include date and version information, such as "GetFunction20150331", but it is still referring to the same public API.


{
  "Records": [
    {
      "eventVersion": "1.03",
      "userIdentity": {
        "type": "IAMUser",
        "principalId": "A1B2C3D4E5F6G7EXAMPLE",
        "arn": "arn:aws-cn:iam::111122223333:user/myUserName",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "userName": "myUserName"
      },
      "eventTime": "2015-03-18T19:03:36Z",
      "eventSource": "lambda.amazonaws.com",
      "eventName": "GetFunction",
      "awsRegion": "us-east-1",
      "sourceIPAddress": "127.0.0.1",
      "userAgent": "Python-httplib2/0.8 (gzip)",
      "errorCode": "AccessDenied",
      "errorMessage": "User: arn:aws-cn:iam::111122223333:user/myUserName is not authorized to perform: lambda:GetFunction on resource: arn:aws-cn:lambda:us-west-2:111122223333:function:other-acct-function",
      "requestParameters": null,
      "responseElements": null,
      "requestID": "7aebcd0f-cda1-11e4-aaa2-e356da31e4ff",
      "eventID": "e92a3e85-8ecd-4d23-8074-843aabfe89bf",
      "eventType": "AwsApiCall",
      "recipientAccountId": "111122223333"
    },
    {
      "eventVersion": "1.03",
      "userIdentity": {
        "type": "IAMUser",
        "principalId": "A1B2C3D4E5F6G7EXAMPLE",
        "arn": "arn:aws-cn:iam::111122223333:user/myUserName",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "userName": "myUserName"
      },
      "eventTime": "2015-03-18T19:04:42Z",
      "eventSource": "lambda.amazonaws.com",
      "eventName": "DeleteFunction20150331",
      "awsRegion": "us-east-1",
      "sourceIPAddress": "127.0.0.1",
      "userAgent": "Python-httplib2/0.8 (gzip)",
      "requestParameters": {
        "functionName": "basic-node-task"
      },
      "responseElements": null,
      "requestID": "a2198ecc-cda1-11e4-aaa2-e356da31e4ff",
      "eventID": "20b84ce5-730f-482e-b2b2-e8fcc87ceb22",
      "eventType": "AwsApiCall",
      "recipientAccountId": "111122223333"
    }
  ]
}

For information about CloudTrail record contents, see CloudTrail record contents in the Amazon CloudTrail User Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

CloudTrail

CloudWatch Logs