Lambda functions tracing should be enabled¶

AWS X-Ray can be used to visualize the components of application, identify performance bottlenecks, and troubleshoot requests that resulted in an error. Lambda functions send trace data to X-Ray, and X-Ray processes the data to generate a service map and searchable trace summaries.

How to fix¶

Attribute tracing_config[0].mode of aws_lambda_function must be "Active".

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)¶

If you use terraform-aws-modules/lambda/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "lambda" {
  source  = "terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"

  tracing_mode = "Active"
}

Option 2: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_lambda_function.

resource "aws_lambda_function" "this" {
  filename         = "lambda_function.zip"
  function_name    = "pofix-example-function"
  handler          = "index.handler"
  role             = "arn:aws:iam::123456789012:role/example-role"
  runtime          = "python3.12"
  source_code_hash = "mock-source-code-hash"

  tracing_config {
    mode = "Active"
  }
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: lambda_function_tracing_enabled

• Checkov Check: CKV_AWS_50

• Powerpipe Control: aws_compliance.control.lambda_function_tracing_enabled