Tracing AWS SDK Calls With No Code Changes for AWS Lambda Security

There is a lot of buzz around Lambda function monitoring. You can find about a dozen companies that will provide you with very nice tools for debugging, profiling and monitoring of your AWS Lambda functions. AWS also offers its own services that can help you with the visibility issue: AWS X-Ray and AWS Cloudtrail, which we recently wrote about in a guest blog post over at Serverless.com.

In this blog post, I will share with you a method to achieve some basic level of visibility into aws-sdk API calls, using one single environment variable – this capability was added to the AWS SDK about a year ago, and went unnoticed by many people. Using this capability, you can enhance your AWS Lambda security, and  follow AWS security best practices – specifically, least-privileged IAM roles.

All you need to do, is just set the following environment variable, and you’re good to go:

AWSJS_DEBUG=ON

Simple right?

To demonstrate the feature I deployed the `image-resizer-service` application from the AWS Serverless App repo and then added the environment variable to the ‘ResizeFunction’.

image1_trace

As you can see, the function code is minified, which makes adding instrumentation logic extremely challenging.

Now, let’s trigger the function and check the CloudWatch logs.

image2_trace

As we can see, the only API it uses is S3:GetObject, however, its assigned IAM role includes few other actions. Seems like the function is over-privileged:

image3_traceYou can read more about over-privileged roles HERE.

We hope that you found this useful – Happy Tracing!

*** This is a Security Bloggers Network syndicated blog from PureSec Blog (Launch) authored by Yuri Shapira. Read the original post at: https://www.puresec.io/blog/aws-lambda-security-tracing-aws-sdk-calls-without-instrumentation