Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why aren't my Lambda@Edge CloudWatch logs delivered?

3 minute read
0

I associated an AWS Lambda@Edge function with an Amazon CloudFront distribution. However, I can't find the Lambda@Edge function's logs in the Amazon CloudWatch Logs log stream.

Resolution

Check the permission for the IAM role associated with the Lambda@Edge function

If the AWS Identity and Access Management (IAM) role associated with the Lambda@Edge function lacks the required permissions, Lambda@Edge logs don't populate. Verify that the function role has the required permissions to create log groups and streams and put log events into any AWS Region.

Example IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

For more information about the permissions required to send data to CloudWatch Logs, see Set up IAM permissions and roles for Lambda@Edge.

Locate the logs in the Region where CloudFront invokes the Lambda function

Confirm the Region in the CloudFront console. If you used the incorrect Region, then you might not see the logs.

When you invoke the Lambda@Edge function, Lambda creates CloudWatch Logs log streams in the Region where the request was received. The log group name uses the following format: /aws/lambda/us-east-1.function-name.

To locate the Lambda@Edge function logs, find the Region where CloudFront invokes the function. Complete the following steps:

  1. Open the CloudFront console.
  2. Under Telemetry, choose Monitoring.
  3. Choose the Lambda@Edge tab.
  4. Select your Lambda@Edge function, and then choose View metrics.
  5. Select View function logs, and then select the Region where CloudFront invokes the function.
    Note: If you see errors in a Region, then select that Region in the Errors metric graph.
  6. To verify the edge location where CloudFront routed the request, check the x-amz-cf-pop response's header value. Then, check the corresponding Region in CloudWatch Logs to review the log files. For example, if x-amz-cf-pop is IAD89-P1, then IAD is the airport code and CloudFront served the request in us-east-1.

If Lambda returns a not valid response to CloudFront, then CloudFront logs the error messages in the log files. Then, CloudFront publishes these logs to CloudWatch Logs in the Region where the Lambda function ran. Log groups use the following format: /aws/cloudfront/LambdaEdge/DistributionId. To locate the Region where you can find the CloudWatch Logs log file, see Determine the Lambda@Edge Region.

Related information

Reports, metrics, and logs

Determine if your account pushes logs to CloudWatch

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
AWS OFFICIALUpdated 10 months ago
No comments

Relevant content