AWS Lambda Execution Role for CloudWatch Logs | SAA-C03 Exam | Amazon

Lambda Execution Role for CloudWatch Logs

Prev Question Next Question

Question

Which of the following actions is required by Lambda execution role to write the logs into AWS CloudWatch? (choose 3 options)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: A, C, E.

https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html?shortFooter=true#lambda-intro-execution-role.

To simplify the process for creating an execution role, AWS Lambda provides the following AWS managed (predefined) permissions policies
that you can use. These policies include common permissions for specific scenarios:

« AWSLambdaBasicExecutionRole - Grants permissions only for the Amazon CloudWatch Logs actions to write logs. You can use this
policy if your Lambda function does not access any other AWS resources except writing logs.

To write the logs into AWS CloudWatch, a Lambda function requires certain permissions to be set in its execution role. These permissions determine what the function can do when interacting with CloudWatch Logs.

Out of the given options, the three required actions that must be added to the Lambda execution role are:

  1. logs:CreateLogGroup: This permission allows the Lambda function to create a new log group in CloudWatch Logs. A log group is a container for log streams that share the same retention, monitoring, and access control settings.

  2. logs:CreateLogStream: This permission allows the Lambda function to create a new log stream within a log group. A log stream is a sequence of log events that share the same source.

  3. logs:PutLogEvents: This permission allows the Lambda function to write log events to a log stream. A log event represents a single occurrence of an event in a log stream.

The remaining options are not required for writing logs into AWS CloudWatch:

  1. logs:GetLogEvents: This permission is used to retrieve log events from a log stream, but it is not required for writing logs.

  2. logs:DescribeLogStreams: This permission allows the Lambda function to list the available log streams in a log group, but it is not required for writing logs.

Therefore, options A, C, and E are the correct answers as they contain the required actions that are needed by the Lambda execution role to write the logs into AWS CloudWatch.