Lambda Functions Without X-Ray Tracing

  • Query id: 71397b34-1d50-4ee1-97cb-c96c34676f74
  • Query name: Lambda Functions Without X-Ray Tracing
  • Platform: Ansible
  • Severity: Low
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: looped creation
  community.aws.lambda:
    name: '{{ item.name }}'
    state: present
    zip_file: '{{ item.zip_file }}'
    runtime: 'python2.7'
    role: 'arn:aws:iam::987654321012:role/lambda_basic_execution'
    handler: 'hello_python.my_handler'
    vpc_subnet_ids:
    - subnet-123abcde
    - subnet-edcba321
    vpc_security_group_ids:
    - sg-123abcde
    - sg-edcba321
    environment_variables: '{{ item.env_vars }}'
    tags:
      key1: 'value1'
  loop:
  - name: HelloWorld
    zip_file: hello-code.zip
    env_vars:
      key1: "first"
      key2: "second"
  - name: ByeBye
    zip_file: bye-code.zip
    env_vars:
      key1: "1"
      key2: "2"
- name: looped creation V2
  community.aws.lambda:
    name: '{{ item.name }}'
    state: present
    zip_file: '{{ item.zip_file }}'
    runtime: 'python2.7'
    role: 'arn:aws:iam::987654321012:role/lambda_basic_execution'
    handler: 'hello_python.my_handler'
    tracing_mode: "PassThrough"
    vpc_subnet_ids:
    - subnet-123abcde
    - subnet-edcba321
    vpc_security_group_ids:
    - sg-123abcde
    - sg-edcba321
    environment_variables: '{{ item.env_vars }}'
    tags:
      key1: 'value1'
  loop:
  - name: HelloWorld
    zip_file: hello-code.zip
    env_vars:
      key1: "first"
      key2: "second"
  - name: ByeBye
    zip_file: bye-code.zip
    env_vars:
      key1: "1"
      key2: "2"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: looped creation V3
  community.aws.lambda:
    name: '{{ item.name }}'
    state: present
    zip_file: '{{ item.zip_file }}'
    runtime: python2.7
    role: arn:aws:iam::987654321012:role/lambda_basic_execution
    handler: hello_python.my_handler
    tracing_mode: Active
    vpc_subnet_ids:
    - subnet-123abcde
    - subnet-edcba321
    vpc_security_group_ids:
    - sg-123abcde
    - sg-edcba321
    environment_variables: '{{ item.env_vars }}'
    tags:
      key1: value1
  loop:
  - name: HelloWorld
    zip_file: hello-code.zip
    env_vars:
      key1: first
      key2: second
  - name: ByeBye
    zip_file: bye-code.zip
    env_vars:
      key1: '1'
      key2: '2'