By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I resolve the "Log group does not exist" error for Lambda function logs in the CloudWatch console?

2 minute read
2

When I view logs for my AWS Lambda function in the Amazon CloudWatch console, I get a "Log group does not exist" error. I want to resolve the error.

Short description

If there's no log group for your Lambda function when you view your function's logs, then CloudWatch returns the following error message:

"Log group does not exist. The specific log group: <log group name> does not exist in this account or region."

Logs are generated after you run your function for the first time. If there's no log group after you invoke the function, then there's an issue with the function's AWS Identity and Access Management (IAM) permissions.

To troubleshoot a Log group does not exist error from CloudWatch, confirm the following:

  • Your Lambda function's execution role has sufficient permissions to write logs to CloudWatch.
  • The log group resource in the IAM policy includes the name of your function.

Note: For information about permissions-related logging issues with Lambda@Edge, see Service-linked roles for Lambda@Edge.

Resolution

Note: The following resolution doesn't work for higher-level denied permissions, such as through a service control policy (SCP) or permissions boundary. You must resolve the denied permissions first.

Edit the IAM policy for the Lambda function's execution role to include the following:

  • Allow the CreateLogGroup and CreateLogStream write actions.
    Note: If you don't need custom permissions for your function, then you can attach the managed policy AWSLambdaBasicExecutionRole to allow Lambda to write logs to CloudWatch.
  • The AWS Region that's specified in the ARN is the same as your Lambda function's Region.
  • The log-group resource includes the name of your Lambda function. For example, if your function is named myLambdaFunction, then the associated log-group is /aws/lambda/myLambdaFunction.

The following is an example policy that includes the required permissions for a Lambda role to access CloudWatch logs:

{  
  "Version": "2012-10-17",  
  "Statement": [  
    {  
      "Effect": "Allow",  
      "Action": "logs:CreateLogGroup",  
      "Resource": "arn:aws:logs:region:accountId:*"  
    },  
    {  
      "Effect": "Allow",  
      "Action": [  
        "logs:CreateLogStream",  
        "logs:PutLogEvents"  
      ],  
      "Resource": [  
        "arn:aws:logs:region:accountId:log-group:/aws/lambda/functionName:*"  
      ]  
    }  
  ]  
}

Note: Make sure that you add the Lambda service in the IAM role's trust policy:

{  
  "Version": "2012-10-17",  
  "Statement": [  
    {  
      "Effect": "Allow",  
      "Principal": {  
        "Service": "lambda.amazonaws.com"  
      },  
      "Action": "sts:AssumeRole"  
    }  
  ]  
}

Related information

Managing permissions in AWS Lambda

Topics
ServerlessCompute
Tags
AWS Lambda
Language
English

Related videos

Watch Jeremiah's video to learn more (3:51)
Watch Jeremiah's video to learn more (3:51)
AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago
4 Comments

Thanks! It helped me to solve the problem.

zevin
replied a year ago

My IAM role's JSON is perfect, looks the same as the example but every time I create a new function and try to check CloudWatch I get the error.

Euge
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
AWS Official
replied a year ago

Adding AWSLambdaBasicExecutionRole to my lambda function's role and creating a new log group of the relevant name solved the issue.

alexpy
replied 7 months ago

Relevant content