Lambda Execution Role Requirements for CloudWatch Logs

Answer: A, C, E.

https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html?shortFooter=true#lambda-intro-execution-role.

Lambda functions can write logs to CloudWatch logs, which can help you troubleshoot issues with your application. To write logs to CloudWatch, a Lambda execution role must be granted specific permissions. The following are the required actions by Lambda execution role to write logs into AWS CloudWatch:

1. logs:CreateLogGroup: This permission is required to create a new log group in CloudWatch Logs. A log group is a collection of log streams that share the same retention, monitoring, and access control settings. This permission allows the Lambda function to create a new log group if one does not already exist.

2. logs:CreateLogStream: This permission is required to create a new log stream within a log group. A log stream represents a sequence of log events that share the same source. This permission allows the Lambda function to create a new log stream for each instance of the function.

3. logs:PutLogEvents: This permission is required to write log events to a log stream. This permission allows the Lambda function to write log events to the log stream created for each instance of the function.

The other two permissions mentioned in the question are not required to write logs to CloudWatch:

• logs:GetLogEvents: This permission is used to retrieve log events from a log stream. It is not required for writing logs to CloudWatch.

• logs:DescribeLogStreams: This permission is used to retrieve information about the log streams in a log group. It is not required for writing logs to CloudWatch.

In summary, the Lambda execution role requires the logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents permissions to write logs to CloudWatch.