Lambda Protection in Amazon GuardDuty

Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked in your AWS environment. When you enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs, starting with VPC Flow Logs from all Lambda functions for account, including those logs that don't use VPC networking, and are generated when the Lambda function gets invoked. If GuardDuty identifies suspicious network traffic that is indicative of the presence of a potentially malicious piece of code in your Lambda function, GuardDuty will generate a finding.

Note

Lambda Network Activity Monitoring doesn't include the logs for Lambda@Edge functions.

You can configure Lambda Protection for any account or available AWS Regions, at any time. By default, an existing GuardDuty account can enable Lambda Protection with a 30-day trial period. For a new GuardDuty account, Lambda Protection is already enabled and included in the 30-day trial period. For information about usage statistics, see Estimating cost.

GuardDuty monitors network activity logs generated by invoking the Lambda functions. Presently, Lambda Network Activity Monitoring includes Amazon VPC flow logs from all Lambda functions for your account, including those logs that don't use VPC networking, and are subject to change, including expansion to other network activity such as DNS query data generated by invoking the Lambda functions. The expansion into other forms of network activity monitoring will increase the volume of data that GuardDuty will process for Lambda Protection. This will directly impact the usage cost of Lambda Protection. Whenever GuardDuty starts monitoring an additional network activity log, it will provide a notice to the accounts that have turned on Lambda Protection, at least 30 days prior to the release.