Lambda logs are going to cloudwatch after applying deny policy

There are several reasons why the policy might not be working as expected in your production environment. Let's go through some troubleshooting steps:

- IAM Policy Propagation Delay: Sometimes, after you make changes to IAM policies, there can be a short delay before they take effect. Make sure to wait a few minutes and try again.

- Existing Log Groups and Streams: If the Lambda function in your production environment had already created a log group and log stream before you applied the policy, then it might still be able to write to those existing resources. The policy you provided prevents the creation of new log groups, streams, and events, but it does not deny writing to existing streams.

- Multiple IAM Roles: Ensure that the Lambda function in your production environment is actually using the IAM role with the deny policy. Sometimes, there might be multiple IAM roles, and the Lambda function could be using a different role than the one you applied the policy to.

- Inline Policies vs Managed Policies: If you're using managed policies, ensure that the policy is attached to the correct role. If you're using inline policies, ensure that the policy is correctly embedded in the role.

- Other Allow Policies: IAM policies are evaluated with an implicit deny. If you have another policy attached to the same role that explicitly allows the logging actions, then the Deny in your policy will override that. However, if there's an explicit Allow for a more specific resource (e.g., a specific log group), it can override the general Deny for all log groups.

- Policy Syntax: Ensure there are no typos or errors in the policy JSON. A small syntax error could invalidate the policy.

- Lambda Execution Role vs CloudWatch Logs Resource Policy: Ensure you're modifying the Lambda function's execution role and not the CloudWatch Logs resource policy. The policy you provided should be attached to the IAM role that the Lambda function assumes when it's executed.

- Testing: When testing, make sure to invoke the Lambda function after applying the policy to see if logs are being generated.

- CloudTrail: Use AWS CloudTrail to diagnose the issue. CloudTrail logs every API call made on your account, so you can see if and when the Lambda function is calling the CloudWatch Logs API and which IAM role or user is making the call.

- Caching: AWS SDKs and the AWS CLI cache credentials. Ensure that you're not experiencing a caching issue. If you're using the AWS CLI or SDKs, try waiting a few minutes or restarting your session.

If after checking all these points the issue persists, you might need to dig deeper, perhaps by contacting AWS support or checking if there are any known issues or changes related to Lambda and CloudWatch Logs integration.

I am not sure where you attached the policy. If you want your function to stop logging to CloudWatch Logs, all you need to do is remove the CWL related actions from the EXECUTION role. You do not need deny statements there.