AWS Certified Security – Specialty — Question 412

A company’s security engineer must record when specific AWS Lambda functions are invoked. The logs must include the AWS principal that invoked the function. External sources and the company’s developers deliver the Lambda function code by using a variety of languages such as Python, Node.js, and Golang. The security engineer has created an AWS CloudTrail trail with default configuration for the AWS account.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Update the Lambda function code to extract the AWS principal from the Lambda context and to write a log entry when the function to be monitored is invoked.
• B. Use Amazon EventBridge (Amazon CloudWatch Events) to configure a rule and custom pattern for lambda:invoke events with a filter on the functions to monitor. Invoke another Lambda function to write the EventBridge (CloudWatch Events) data to Amazon CloudWatch Logs.
• C. Modify the existing CloudTrail trail. Configure the existing CloudTrail trail to monitor Lambda functions as data events.
• D. Create a Lambda layer that provides CloudTrail with a log event that includes the Lambda context when the function is invoked. Attach this layer to all Lambda functions that must be monitored.

Correct answer: C

Explanation

AWS CloudTrail data events capture resource-level operations, such as the invocation of AWS Lambda functions, which includes the identity of the invoking AWS principal. Enabling Lambda data events on the existing CloudTrail trail requires no code modifications or additional infrastructure, making it the option with the least operational overhead. Other options involving code updates, custom layers, or EventBridge rules require development effort and ongoing maintenance across multiple programming languages.