AWS Lambda Execution Role - CloudWatch Logs Integration

Lambda Execution Role Requirements for CloudWatch Logs

Prev Question Next Question

Question

Which of the following actions is required by Lambda execution role to write the logs into AWS CloudWatch? (choose 3 options)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: A, C, E.

https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html?shortFooter=true#lambda-intro-execution-role.

To simplify the process for creating an execution role, AWS Lambda provides the following AWS managed (predefined) permissions policies
that you can use. These policies include common permissions for specific scenarios:

« AWSLambdaBasicExecutionRole - Grants permissions only for the Amazon CloudWatch Logs actions to write logs. You can use this
policy if your Lambda function does not access any other AWS resources except writing logs.

Lambda functions can write logs to CloudWatch logs, which can help you troubleshoot issues with your application. To write logs to CloudWatch, a Lambda execution role must be granted specific permissions. The following are the required actions by Lambda execution role to write logs into AWS CloudWatch:

  1. logs:CreateLogGroup: This permission is required to create a new log group in CloudWatch Logs. A log group is a collection of log streams that share the same retention, monitoring, and access control settings. This permission allows the Lambda function to create a new log group if one does not already exist.

  2. logs:CreateLogStream: This permission is required to create a new log stream within a log group. A log stream represents a sequence of log events that share the same source. This permission allows the Lambda function to create a new log stream for each instance of the function.

  3. logs:PutLogEvents: This permission is required to write log events to a log stream. This permission allows the Lambda function to write log events to the log stream created for each instance of the function.

The other two permissions mentioned in the question are not required to write logs to CloudWatch:

  • logs:GetLogEvents: This permission is used to retrieve log events from a log stream. It is not required for writing logs to CloudWatch.

  • logs:DescribeLogStreams: This permission is used to retrieve information about the log streams in a log group. It is not required for writing logs to CloudWatch.

In summary, the Lambda execution role requires the logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents permissions to write logs to CloudWatch.