AWS Lambda@Edge not logging

Question

I have viewer-request and origin-response Lambda functions deployed to a CloudFront distribution, which are firing, but not logging to CloudWatch. I have spent a considerable amount of time researching this topic, and have run through all advice from other posts including:

Checking all regions for logs, as I know that they CloudWatch logs will be created in the region which the labmda@edge function runs. No logs in any of them.
I have checked that the AWSServiceRoleForCloudFrontLogger role exists.

Interestingly when I purposefully code in an error into one of Lambda functions, I do get logs created within a group named /aws/cloudfront/LambdaEdge/<cloudfront distribution id> containing error logs, however there is no output from the console.log statements here.

For the life of me I can't work out how I can enable logging of ALL requests, both successes and failures, to CloudWatch, containing my debug statements using console.log().

The AWSServiceRoleForCloudFrontLogger contains a single policy AWSCloudFrontLogger:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:/aws/cloudfront/*"
        }
    ]
}

EDIT:

Below is the AWS role suggested by AWS support. I can confirm this worked and resolved the issue.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}```

Is the policy suggested by AWS support meant to be attached to a new role which has `logger.cloudfront.amazonaws.com` as a trusted entity? If I understand correctly, this is a sort of an extended replacement for the default AWSServiceRoleForCloudFrontLogger role, right? — mj3c, Aug 07 '20 at 15:00
To answer my previous commend, the proposed policy needs to be set for the Lambda's execution role, then the logs start working! — mj3c, Aug 10 '20 at 09:40
Thanks a lot, they should really highlight this in their documentation wasted many hours. — Suraj Jain, Nov 16 '20 at 18:33

vipulbansal91 · Accepted Answer · 2019-07-13T14:30:05.010

The issue most probably is that Lambda does not have the permissions to output the logs into CloudWatch.

Can you double check the Lambda function execution role permissions?

Related Link : Can't get AWS Lambda function to log (text output) to CloudWatch

Explanation

So there are two kinds of logs here, hence you have to provide permissions to CloudWatch at two different places.

Logs that you put in your Lambda function (using console.log), since these logs are to be published by the function to CloudWatch, function execution role should have the permission to CloudWatch. This is true irrespective of who triggers the Lambda function.
Now comes L@E, sometimes you might end up modifying request/response in a way that is not valid as per CloudFront. In these scenarios only ClodFront has the knowledge that you messed up(your Lambda function doesn't know this) and it publishes this knowledge in form of logs to CloudWatch. Now since this is a different entity, it needs it own permissions to push the logs to CloudWatch(which you had provided via AWSServiceRoleForCloudFrontLogger).

Thank you for your answer. You're right. I actually figured this out myself, and after granting more permissions to the execution role's policy it started working. I'm currently speaking with AWS support to find out exactly why this was necessary, and once I have an answer I'll post here. — mustdobetter, Jul 12 '19 at 06:57
For reference, I've posted the fixed Role permissions suggested by AWS support in the originally post. — mustdobetter, Nov 08 '19 at 15:37

AWS Lambda@Edge not logging

1 Answers1