Lambda Function is Showing different CloudWatch Log Group

0

Hi All,

I am using AWS CDK to generate my CloudFormation template and the following is the template it created for me. I have copied the necessary output for my question.

As you can see the I have CloudWatch log group, and created a IAM policy that allows logs to be written to that log group.

I have created an IAM role that has the necessary permission to write to the log group and attached that IAM role to the Lambda function I created.

The CloudFormation template is successfully deployed by running the AWS CDK "deploy" command. And no errors are thrown.

However after it is deployed once I go to the lambda function console to check if it is attached to the correct log group, I can see the following error in the "Monitor" tab of the Lambda Function console. Enter image description here

Log group '/aws/lambda/Dev-Project-Backend-Function' does not exist for account ID

Apart from this I have API gateway and the Lambda function is called through the API gateway route. The API Gateway is attached to the below same CloudWatch log group and the API Gateway is correctly logging the logs to the log group

I do not understand why the Lambda Function below is not correctly using the Log Group it was attached to through the IAM role, but looking for the not existent log group.

Appreciate your help on this.

CloudWatchLogGroup9E01D9EC:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupClass: STANDARD
      LogGroupName: Dev-Project-Backend-Log-Group-LogGroup
      RetentionInDays: 1
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
PolicyLogStreamC69D6ECF:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: This policy allows to write logs into log stream in the CloudWatch
      ManagedPolicyName: Dev-Project-Backend-LogStream-Policy
      Path: /
      PolicyDocument:
        Statement:
          - Action:
              - logs:CreateLogStream
              - logs:GetLogEvents
              - logs:PutLogEvents
            Effect: Allow
            Resource:
              Fn::Join:
                - ""
                - - "arn:aws:logs:{REGION}:{ACCOUNT_ID}:log-group:"
                  - Ref: CloudWatchLogGroup9E01D9EC
                  - :log-stream:*
            Sid: Statement1
        Version: "2012-10-17"
    DependsOn:
      - CloudWatchLogGroup9E01D9EC
RoleLambdaExecReadWriteDB7DE264A3:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - Ref: PolicyLogStreamC69D6ECF
      Path: /
      RoleName: Dev-Project-Backend-Role
    DependsOn:
      - PolicyLogStreamC69D6ECF
LambdaAdorationGroup7168EC0F:
    Type: AWS::Lambda::Function
    Properties:
      Architectures:
        - arm64
      FunctionName: Dev-Project-Backend-Function
      Handler: BackendFunction.lambda_handler
      LoggingConfig:
        ApplicationLogLevel: INFO
        LogFormat: JSON
        SystemLogLevel: DEBUG
      MemorySize: 128
      Role:
        Fn::GetAtt:
          - RoleLambdaExecReadWriteDB7DE264A3
          - Arn
      Runtime: python3.12
      Timeout: 31
    DependsOn:
      - CloudWatchLogGroup9E01D9EC
      - RoleLambdaExecReadWriteDB7DE264A3
1 Answer
2
Accepted Answer

Hello.

By default, Lambda is configured to output logs to a log group named "/aws/lambda/<function name>".
https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html

By default, Lambda sends logs to a log group named /aws/lambda/<function name>. If you want your function to send logs to another group, you can configure this using the Lambda console, the AWS Command Line Interface (AWS CLI) or the Lambda API. See Configuring CloudWatch log groups to learn more.

Therefore, you need to set "LogGroup" in "LoggingConfig" of CloudFormation.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-loggingconfig.html#cfn-lambda-function-loggingconfig-loggroup

LambdaAdorationGroup7168EC0F:
    Type: AWS::Lambda::Function
    Properties:
      Architectures:
        - arm64
      FunctionName: Dev-Project-Backend-Function
      Handler: BackendFunction.lambda_handler
      LoggingConfig:
        ApplicationLogLevel: INFO
        LogFormat: JSON
        SystemLogLevel: DEBUG
        LogGroup: Dev-Project-Backend-Log-Group-LogGroup # Add
      MemorySize: 128
      Role:
        Fn::GetAtt:
          - RoleLambdaExecReadWriteDB7DE264A3
          - Arn
      Runtime: python3.12
      Timeout: 31
    DependsOn:
      - CloudWatchLogGroup9E01D9EC
      - RoleLambdaExecReadWriteDB7DE264A3
profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
Steve_M
reviewed 2 months ago
  • With CDK, you can set it using the "logGroup" below. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html

    new lambda.Function(this, 'Function', {
      codeSigningConfig,
      runtime: lambda.Runtime.NODEJS_18_X,
      handler: 'index.handler',
      code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
      logGroup # Add
    });
    
  • Thanks @Riku_Kobayashi. Once I saw your comment, I realised I have missed that "LogGroup" property in my code itself. It is fixed now. A silly mistake from my end

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions