Lambda function Invoke API calls are recorded by CloudTrail
awslambda_function_invoke_api_operations_cloudtrail_logging_enabled
AWS Lambda function invocations are recorded as CloudTrail data events when trails include AWS::Lambda::Function resources.
The finding reflects whether a function's Invoke activity is being logged by an eligible trail.
Risk
Without Lambda Invoke data events, per-invocation accountability is lost. Adversaries or misused automation can run code without an audit trail, obscuring actor, time, and source. This hinders forensics and enables covert exfiltration or unauthorized changes, impacting confidentiality and integrity.
prowler aws --checks awslambda_function_invoke_api_operations_cloudtrail_logging_enabled
Recommendation
Enable CloudTrail data event logging for AWS::Lambda::Function to capture Invoke calls across required Regions and accounts. Apply least privilege selectors to scope events, centralize logs with strong retention, and integrate alerts for anomalous invokes as part of defense in depth.
Remediation
aws cloudtrail put-event-selectors --trail-name <example_resource_name> --advanced-event-selectors '[{"FieldSelectors":[{"Field":"eventCategory","Equals":["Data"]},{"Field":"resources.type","Equals":["AWS::Lambda::Function"]}]}]'
- In the AWS Console, go to CloudTrail > Trails
- Select your trail and click Edit or Event logging
- Under Data events, choose Add data event selector (or Edit)
- Select Lambda function and choose to log data events for all functions (or specify functions)
- Save changes
Source Code
Resource Type
AwsLambdaFunction