AWS Lambda Execution Logs

Cloud & SaaSCloud InfrastructureAWSAWS LambdaServerlessCloud Control PlaneSIEM / Log Aggregator

Location

CloudWatch Logs log group `/aws/lambda/<function-name>`

Description

Per-invocation logs from AWS Lambda recording START/REPORT lines with request ID and duration, function stdout/stderr, and error traces. Primary forensic record for serverless compromise.

Forensic Value

Lambda execution logs show what each invocation did: inputs, outputs, error traces, timing anomalies, and any stdout-printed attacker activity. Combined with CloudTrail management events for the function, they reconstruct both the "who deployed" and "what happened during execution" dimensions.

Tools Required

AWS CLICloudWatch Logs InsightsSIEM with AWS connector

Collection Commands

AWS CLI

aws logs filter-log-events --log-group-name /aws/lambda/<function-name> --start-time $(date -d "-7 days" +%s)000 --output json > lambda_exec.json

Logs Insights

fields @timestamp, @message, @requestId | filter @message like /ERROR|Task timed out|Unhandled/ | sort @timestamp desc | limit 1000

Collection Constraints

•Log retention is configurable per-log-group; default is never-expire, but many accounts set short retention
•Logs produced at very high rate may be sampled by downstream SIEM ingestion

MITRE ATT&CK Techniques

T1648T1078.004T1496

References

Monitoring Lambda with CloudWatch Logs

Used in Procedures

Contain Compromised Serverless Function

contain

Collect Serverless Execution and Management Evidence

collect

Related Blockers

Serverless Workload Cannot Host EDR Agent

The compromised workload is serverless (AWS Lambda, GCP Cloud Functions, Azure Functions, Cloudflare Workers) and cannot host a traditional EDR agent. Execution environments are ephemeral and container-isolated; evidence must come from cloud-provider execution logs, function code/config, trigger/event sources, and attached IAM role activity.

Acquisition Methods

AWS Lambda Function Code and Config Export

linux — cloud