AWS Lambda@Edge created using AWS CDK doesn't put Log to CloudWatch

Question

I created a simple Lambda@Edge function like below.

```
'use strict';

exports.handler =  async function(event, context, callback) {
    const cf = event.Records[0].cf;
    console.log('Record: ', JSON.stringify(cf, null, 2));
    console.log('Context: ', JSON.stringify(context, null, 2));
    console.log('Request: ', JSON.stringify(cf.request, null, 2));
    callback(null, cf.request);
}
```

And I deployed it using AWS CDKv2 `experimental EdgeFunction like below

```
        const edgeFunction = new cloudfront.experimental.EdgeFunction(this, 'EdgeFunction', {
            runtime: Runtime.NODEJS_14_X,
            handler: 'index.handler',
            code: Code.fromAsset(path.join(__dirname, '../../../../lambda/ssr2')),
        });
```

and also I set it up as edge function for a Distribution

```
        const distribution = new Distribution(this, 'Distribution', {
            defaultBehavior: {
                origin,
                cachePolicy: CachePolicy.CACHING_DISABLED,
                viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                edgeLambdas: [
                    {
                        functionVersion: edgeFunction.currentVersion,
                        eventType: LambdaEdgeEventType.VIEWER_REQUEST,
                    }
                ]
            },
```

But when I tried sending the request to the Distribution, the log didn't show up anything.

I checked the permission, the role already has permission

```
Allow: logs:CreateLogGroup
Allow: logs:CreateLogStream
Allow: logs:PutLogEvents
```

I expect the function write logs to the CloudWatch. What did I miss?

**UPDATE 1**

Below is the role document,

```
{
    "sdkResponseMetadata": null,
    "sdkHttpMetadata": null,
    "partial": false,
    "permissionsBoundary": null,
    "policies": [
      {
        "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
        "document": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Resource": "*"
            }
          ]
        },
        "id": "ANPAJNCQGXC425412345",
        "name": "AWSLambdaBasicExecutionRole",
        "type": "managed"
      }
    ],
    "resources": {
      "logs": {
        "service": {
          "icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGRlZnM+CiAgICAgIDxsaW5lYXJHcmFkaWVudCB4MT0iMCUiIHkxPSIxMDAlIiB4Mj0iMTAwJSIgeTI9IjAlIiBpZD0iYSI+CiAgICAgICAgPHN0b3Agc3RvcC1jb2xvcj0iI0IwMDg0RCIgb2Zmc2V0PSIwJSIvPgogICAgICAgIDxzdG9wIHN0b3AtY29sb3I9IiNGRjRGOEIiIG9mZnNldD0iMTAwJSIvPgogICAgICA8L2xpbmVhckdyYWRpZW50PgogICAgPC9kZWZzPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0idXJsKCNhKSIvPgogICAgICA8cGF0aCBkPSJNNTUuMDYgNDYuNzc3YzAtMy45MDktMy4yMDItNy4wOS03LjEzOC03LjA5LTMuOTM1IDAtNy4xMzYgMy4xODEtNy4xMzYgNy4wOSAwIDMuOTEgMy4yIDcuMDkgNy4xMzYgNy4wOXM3LjEzNy0zLjE4IDcuMTM3LTcuMDltMi4wMSAwYzAgNS4wMTEtNC4xMDMgOS4wODctOS4xNDcgOS4wODctNS4wNDMgMC05LjE0Ny00LjA3Ni05LjE0Ny05LjA4NyAwLTUuMDEgNC4xMDQtOS4wODYgOS4xNDctOS4wODYgNS4wNDQgMCA5LjE0OCA0LjA3NiA5LjE0OCA5LjA4Nm04LjQ0IDEzLjY5N0w1OC41IDU0LjIwM2ExMy4wMzMgMTMuMDMzIDAgMDEtMS45NDcgMi4xNmw2Ljk5OCA2LjI3YTEuNDc0IDEuNDc0IDAgMDAyLjA2Ni0uMTA3IDEuNDUzIDEuNDUzIDAgMDAtLjEwOC0yLjA1Mm0tMTcuNTg4LTIuODEyYzYuMDQzIDAgMTAuOTU4LTQuODgzIDEwLjk1OC0xMC44ODVzLTQuOTE1LTEwLjg4NC0xMC45NTgtMTAuODg0Yy02LjA0MSAwLTEwLjk1NyA0Ljg4Mi0xMC45NTcgMTAuODg0IDAgNi4wMDIgNC45MTYgMTAuODg1IDEwLjk1NyAxMC44ODVtMTkuMTkgNi4yQTMuNDgzIDMuNDgzIDAgMDE2NC41MjkgNjVhMy40NzUgMy40NzUgMCAwMS0yLjMyMi0uODgzTDU0LjkzMSA1Ny42YTEyLjkzNSAxMi45MzUgMCAwMS03LjAwOSAyLjA2Yy03LjE1IDAtMTIuOTY3LTUuNzc5LTEyLjk2Ny0xMi44ODIgMC03LjEwMiA1LjgxNy0xMi44ODEgMTIuOTY3LTEyLjg4MSA3LjE1MSAwIDEyLjk2OSA1Ljc3OSAxMi45NjkgMTIuODgxIDAgMi4wMzgtLjQ5MiAzLjk2LTEuMzQ0IDUuNjc0bDcuMzA5IDYuNTRhMy40NDQgMy40NDQgMCAwMS4yNTYgNC44NzJNMjEuMjggMjkuMzkzYzAgLjUxOS4wMzIgMS4wMzYuMDk0IDEuNTM2YS45OTQuOTk0IDAgMDEtLjgyMyAxLjEwNmMtMi40NzIuNjM0LTYuNTQgMi41NTMtNi41NCA4LjMxIDAgNC4zNDggMi40MTMgNi43NDggNC40MzkgNy45OTYuNjkxLjQzMyAxLjUxLjY2NCAyLjM3My42NzNsMTIuMTIyLjAxMS0uMDAyIDEuOTk3LTEyLjEzMS0uMDFjLTEuMjQ2LS4wMTQtMi40MjgtLjM1MS0zLjQyOC0uOTc3QzE1LjM3NyA0OC43OTcgMTIgNDUuODkgMTIgNDAuMzQ1YzAtNi42ODMgNC42LTkuMTUzIDcuMy0xMC4wMjYtLjAyLS4zMDctLjAzLS42MTctLjAzLS45MjYgMC01LjQ2IDMuNzI4LTExLjEyMyA4LjY3Mi0xMy4xNzEgNS43ODItMi40MDcgMTEuOTA4LTEuMjE0IDE2LjM4NCAzLjE4OSAxLjM4OCAxLjM2NCAyLjUyOSAzLjAyIDMuNDA0IDQuOTM3YTYuNTA5IDYuNTA5IDAgMDE0LjE1NC0xLjUwMmMzLjAwMiAwIDYuMzgyIDIuMjY0IDYuOTg0IDcuMjE1IDIuODEyLjY0NCA4Ljc1MyAyLjg5NCA4Ljc1MyAxMC4zNjIgMCAyLjk4MS0uOTQxIDUuNDQ0LTIuNzk4IDcuMzE5bC0xLjQzMy0xLjQwMWMxLjQ3My0xLjQ4OCAyLjIyLTMuNDc5IDIuMjItNS45MTggMC02LjUzMi01LjUwNC04LjE1Ny03Ljg3My04LjU1MWExLjAwMiAxLjAwMiAwIDAxLS44MjMtMS4xNTdjLS4zMjktNC4wNTUtMi43NTMtNS44NzItNS4wMy01Ljg3Mi0xLjQzNyAwLTIuNzg0LjY5NS0zLjY5NyAxLjkwN2ExLjAwNiAxLjAwNiAwIDAxLTEuNzUtLjI1OGMtLjgyMy0yLjI2Ni0yLjAxLTQuMTcxLTMuNTI1LTUuNjYxLTMuODgtMy44MTYtOS4xODQtNC44NS0xNC4xOTUtMi43NjYtNC4xNyAxLjcyNy03LjQzNyA2LjcwMi03LjQzNyAxMS4zMjgiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
          "name": "Amazon CloudWatch Logs"
        },
        "statements": [
          {
            "action": "logs:CreateLogGroup",
            "effect": "Allow",
            "resource": "*",
            "service": "logs",
            "source": {
              "index": "0",
              "policyName": "AWSLambdaBasicExecutionRole",
              "policyType": "managed"
            }
          },
          {
            "action": "logs:CreateLogStream",
            "effect": "Allow",
            "resource": "*",
            "service": "logs",
            "source": {
              "index": "0",
              "policyName": "AWSLambdaBasicExecutionRole",
              "policyType": "managed"
            }
          },
          {
            "action": "logs:PutLogEvents",
            "effect": "Allow",
            "resource": "*",
            "service": "logs",
            "source": {
              "index": "0",
              "policyName": "AWSLambdaBasicExecutionRole",
              "policyType": "managed"
            }
          }
        ]
      }
    },
    "roleName": "MyProject-EdgeFunctionFnServiceRoleC7B72E4-1DV3AZXP558ZS",
    "trustedEntities": [
      "lambda.amazonaws.com",
      "edgelambda.amazonaws.com"
    ]
  }
```

I just tried using the Test in the Lambda Panel. All the tests send logs to the CloudWatch. However when I send request to the CloudFront, it didn't send anything.

**UPDATE 2**

I just found out from StackOverflows that the log is being stored not centrally but distributed to regions.  Something like below

```
/aws/lambda/us-east-1.MyProject-EdgeFunctionFn44308ADF-loJeFwXXzTOm
```

So instead of opening it from Lambda panel, I need to open it in the CloudFront panel. Somewhat I couldn't find it in any AWS documentations.

**References**

https://aws.amazon.com/id/blogs/networking-and-content-delivery/aggregating-lambdaedge-logs/

https://stackoverflow.com/questions/66949758/serverless-aws-lambdaedge-how-to-debug#:~:text=Go%20to%20CloudWatch%20and%20search,%2D%3E%20Lambda%40Edge%20Errors%20.

Accepted Answer

Oh I think I see now, this is an issue I've faced before with lambda@edge logs too. The logs print to cloudwatch log groups in whatever region was used to accent the content. Since the lambda@edge replicates in all of the used Edge locations, while you're dealing with 1 lambda function you're actually dealing with up to a few dozen lambda@edge functions. So look in Cloudwatch Log Groups for edge lambda log groups in all regions close to where you are located.

To find that in the CloudFront panel go to `Telemetry->Monitoring`, Choose the `Lambda@Edge` tab, select the appropriate lambda version, then in the top right corner there will be a dropdown called `View Function Logs` - there you can see all the regions where logs are available.

Answer

Make sure the role's trust policy for the lambda@edge lists two principles: `lambda.amazonaws.com` and `edgelambda.amazonaws.com`. If it only has the first one you'll need to add a custom role to the edge function in the cdk:

```
new Role(this, 'Lambda-Edge-Role', {
      assumedBy: new CompositePrincipal(
          new ServicePrincipal('lambda.amazonaws.com'),
          new ServicePrincipal('edgelambda.amazonaws.com'),
      ),
       managedPolicies: [
           ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole')
      ]
}
```
I believe the `EdgeFunction` construct is supposed to do that automatically but since it's experimental it's worth it to make sure.

AWS Lambda@Edge created using AWS CDK doesn't put Log to CloudWatch

관련 콘텐츠