Why aren't my Lambda@Edge CloudWatch logs delivered?

3 minute read
0

I associated an AWS Lambda@Edge function with an Amazon CloudFront distribution. However, I can't find the Lambda@Edge function's logs in the Amazon CloudWatch Logs log stream.

Resolution

Check the permission for the IAM role associated with the Lambda@Edge function

Lambda@Edge logs don't populate if the AWS Identity and Access Management (IAM) role associated with the Lambda@Edge function lacks the required permission. Verify that the function execution role has the required permissions to create log groups and streams and put log events into any AWS Region.

Example IAM policy:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:*"
      ]
    }
  ]
}

For more information about the permissions required to send data to CloudWatch Logs, see Set up IAM permissions and roles for Lambda@Edge.

Check the logs in the Region where the Lambda function was activated

Check the Region in your console. Logs can appear to be missing if you use the incorrect Region.

When you activate the Lambda@Edge function, Lambda creates CloudWatch Logs log streams in the Region closest to the location where the function was activated. The log group name uses the following format: /aws/lambda/us-east-1.function-name. function-name.

To locate the Lambda@Edge function logs, find the Region where the function was invoked:

  1. Log in to the AWS Management Console, and then open the CloudFront console.
  2. Under Telemetry, choose Monitoring.
  3. Choose the Lambda@Edge tab.
  4. Select your Lambda@Edge function, and then choose View metrics.
  5. Select View function logs, and then select the Region where CloudFront invokes the function.
    Note: If you see errors in a Region, then select that Region in the Errors metric graph.
  6. To check the edge location that the request was routed to, check the x-amz-cf-pop response's header value. Then, check the corresponding Region in CloudWatch Logs to see the log files. For example, if x-amz-cf-pop is IAD89-P1, then IAD is the airport code and the request was served in us-east-1.

If Lambda returns a not valid response to CloudFront, then CloudFront logs the error messages in the log files. CloudFront then publishes these logs to CloudWatch Logs in the Region where the Lambda function ran. Log groups use the following format: /aws/cloudfront/LambdaEdge/DistributionId. DistributionId is the distribution's ID. To find the Region where the CloudWatch Logs log file is located, see Determine the Lambda@Edge Region.

Related information

Reports, metrics, and logs

Determine if your account pushes logs to CloudWatch

AWS OFFICIAL
AWS OFFICIALUpdated a month ago