Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to stop AWS Lambda function to log on CloudWatch

AWS Lambda logging on CloudWatch may become an huge hidden cost if you have a lot of them, because there are no way to tell AWS to stop logging on CloudWatch platform. The only way I have found to do that is to manage a custom IAM policy (associated with every lambda) and explicitally deny access to the logs:... actions:

{
        "Sid": "DisableAllLogs",
        "Resource": "*",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Deny"
}

Now I'm trying to fine graining the policy to let only some lambda to log. To do that I'm using the Condition parameters of the policy:

{
        "Sid": "EnableLogsForWantedLambdaTriggers",
        "Resource": "*",
        "Condition": {
            "ArnEquals": {
                "aws:SourceArn": "arn:aws:lambda:REGION:ACCOUNT-ID:function:FUNCTION-NAME"
            }
        },
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Allow"
}

but in this way no log is sent to CloudWatch. I think that the source ARN is wrong but I can't figure out to find the correct one.

Any clues?

like image 349
Claudio Bertozzi Avatar asked Aug 29 '16 14:08

Claudio Bertozzi


People also ask

How do I disable Lambda logs in CloudWatch?

There is no flag/toggle/switch or a direct way to disable the CloudWatch logs for a lambda function. One workaround is you can add the following inline policy to your role to disable the CloudWatch logs. You can change the "Deny" to "Allow" when you require logging again.

Does Lambda automatically log to CloudWatch?

Lambda automatically integrates with CloudWatch Logs and pushes all logs from your code to a CloudWatch Logs group associated with a Lambda function, which is named /aws/lambda/ <function name> .

How do you stop the Lambda function execution?

Set Concurrency To Zero One of the main ways you can stop your Lambda is to set the concurrency limit to zero. Note, setting concurrency to zero will not stop any currently processing lambda functions, but it will prevent any new lambda functions from starting.


1 Answers

A possible workaround that I've found is to focus the policy on resources instead on the caller ARN of the action. So, if I now the lambda logGroupName and logStreamName (and I always now these) I can Allow only the actions over the resource that the logger will create, following the documented naming convention:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "EnableLogsForWantedLambdaTriggers",
        "Resource": [
            "arn:aws:logs:<region>:<ID>:log-group:<logGroupName>:log-stream:<logStreamName>"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Allow"
    }
  ]
}

in this way I have the choice to enable wanted lamda and/or (acting on stream name) selected function version ($LATEST, 1, 2, ...).

For example, the next will enable only the development version of the function ignoring the production ones:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "EnableLogsForWantedLambdaTriggers",
        "Resource": [
            "arn:aws:logs:<region>:<ID>:log-group:<logGroupName>:log-stream:*/*/*/[$LATEST]*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Allow"
    }
  ]
}
like image 183
Claudio Bertozzi Avatar answered Oct 25 '22 03:10

Claudio Bertozzi