compliance.tf
Compliance ControlsAWS Lambda

Lambda functions tracing should be enabled

Without tracing, Lambda invocations are black boxes. When a function times out, throws an exception, or introduces latency in a service chain, you have little visibility beyond CloudWatch logs. X-Ray tracing captures the full request path, including downstream calls to DynamoDB, S3, or other services, letting you pinpoint exactly where failures and bottlenecks occur.

Enabling tracing at the function level costs almost nothing (X-Ray free tier covers 100,000 traces per month) but pays off immediately during incident response. Cold start latency, SDK call durations, and fault rates all become queryable without any custom instrumentation.

Implementation

Choose the approach that matches how you manage Terraform.

Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.

module "lambda" {
  source  = "registry.compliance.tf/terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"
}

This control is enforced automatically with Compliance.tf modules. Start free trial

If you use terraform-aws-modules/lambda/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "lambda" {
  source  = "terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"

  tracing_mode = "Active"
}

Use AWS provider resources directly. See docs for the resources involved: aws_lambda_function.

resource "aws_lambda_function" "this" {
  filename                       = "lambda_function.zip"
  function_name                  = "pofix-abc123"
  handler                        = "index.handler"
  reserved_concurrent_executions = 100
  role                           = "arn:aws:iam::123456789012:role/example-role"
  runtime                        = "python3.12"
  source_code_hash               = "base64encodedhashabcdef1234567890=="

  tracing_config {
    mode = "Active"
  }
}

What this control checks

This control validates that each aws_lambda_function resource includes a tracing_config block with mode set to "Active". When mode is "Active", the function samples and records incoming requests using X-Ray. When mode is "PassThrough", the function only traces requests that were sampled by an upstream service and may emit no traces. Omitting tracing_config entirely, or leaving mode unset, disables tracing and fails the control. The function's execution role must also have xray:PutTraceSegments and xray:PutTelemetryRecords IAM permissions, but this control focuses on the tracing configuration itself.

Common pitfalls

PassThrough mode may produce no traces

"PassThrough" passes this control, but it's a trap: if no upstream caller sends a sampled trace header, the function produces zero traces. For functions triggered directly by API Gateway, EventBridge, or S3 event notifications, "Active" is the only mode that actually produces data.

Missing IAM permissions silently drop traces

Even with tracing_config { mode = "Active" }, traces silently disappear if the function's execution role is missing xray:PutTraceSegments and xray:PutTelemetryRecords. The function runs fine; X-Ray just receives nothing. Attach arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess to cover both actions.

Terraform default omits tracing_config entirely

Terraform doesn't add a tracing_config block by default, and AWS treats the omission as disabled. Functions scaffolded from minimal examples or copied from documentation almost never include it, so it's easy to deploy a large fleet with tracing off and not notice until you actually need the data.

Audit evidence

An auditor expects to see an AWS Config rule (such as lambda-function-settings-check with the tracingConfig parameter) showing compliant evaluations across all Lambda functions. Alternatively, the output of aws lambda list-functions can be filtered to verify that every function's TracingConfig.Mode is Active. Screenshots from the Lambda console showing the "Active tracing" checkbox enabled under Monitoring and operations tools, or an X-Ray service map showing active trace collection, are both acceptable.

Related controls

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: lambda_function_tracing_enabled
  • AWS Config Managed Rule: LAMBDA_FUNCTION_XRAY_ENABLED
  • Checkov Check: CKV_AWS_50
  • Powerpipe Control: aws_compliance.control.lambda_function_tracing_enabled
  • AWS Security Hub Control: Lambda.7
  • KICS Query: 8152e0cf-d2f0-47ad-96d5-d003a76eabd1
  • Trivy Check: AWS-0066

Last reviewed: 2026-03-09

Lambda functions should use latest runtimes

Previous Page

Network Firewall firewalls should have deletion protection enabled

Next Page

On this page

ImplementationWhat this control checksCommon pitfallsAudit evidenceRelated controlsTool mappings

Ask AI about this

Help improve this page