While testing this, I had trouble getting CreateFunction provisioned to the identity that performed it. I thought this was because the CloudTrail name doesn't match the permission name, but ListFunctions (whose event is called ListFunctions20150331) worked fine.