Collect Serverless Execution and Management Evidence
Collect per-invocation execution logs, management-plane audit events, and the deployed function package for the affected serverless workloads. Serverless evidence is short-lived and provider-specific; collect early.
Actions
- 1
Export execution logs: Lambda via CloudWatch Logs, GCF via Cloud Logging, Azure Functions via Application Insights / Log Analytics.
- 2
Export management-plane events for the function ARN / resource: CloudTrail for Lambda (`UpdateFunctionCode`, `UpdateFunctionConfiguration`), Cloud Audit Logs for GCF, Activity Log for Azure Functions.
- 3
Preserve the currently-deployed package: `aws lambda get-function`, `gcloud functions describe`, equivalent for Azure; download before any rollback.
- 4
Export distributed-trace data if enabled (AWS X-Ray, Cloud Trace, Application Insights traces) to reconstruct cross-service invocation chains.
- 5
Export the execution-role's own API-call history during the window from the relevant cloud audit trail.
Queries
aws logs filter-log-events --log-group-name /aws/lambda/<function> --start-time $(date -d "-7 days" +%s)000
gcloud logging read 'resource.type="cloud_function" AND resource.labels.function_name="<name>"' --freshness=7d
Notes
Lambda GetFunction returns a time-limited download URL; script the flow to fetch immediately.
Serverless logs retention is configurable; short retention may have already rolled over critical evidence.
Function environment variables are both evidence and an attack surface -- preserve, then rotate any secrets they contain.