How to stop AWS Lambda function to log on CloudWatch

前端未结

关注

 1  1193

AWS Lambda logging on CloudWatch may become an huge hidden cost if you have a lot of them, because there are no way to tell AWS to stop logging on CloudWatch platform. The o

相关标签:

1条回答

独厮守ぢ

2021-01-17 11:21

A possible workaround that I've found is to focus the policy on resources instead on the caller ARN of the action. So, if I now the lambda logGroupName and logStreamName (and I always now these) I can Allow only the actions over the resource that the logger will create, following the documented naming convention:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "EnableLogsForWantedLambdaTriggers",
        "Resource": [
            "arn:aws:logs:<region>:<ID>:log-group:<logGroupName>:log-stream:<logStreamName>"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Allow"
    }
  ]
}

in this way I have the choice to enable wanted lamda and/or (acting on stream name) selected function version ($LATEST, 1, 2, ...).

For example, the next will enable only the development version of the function ignoring the production ones:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "EnableLogsForWantedLambdaTriggers",
        "Resource": [
            "arn:aws:logs:<region>:<ID>:log-group:<logGroupName>:log-stream:*/*/*/[$LATEST]*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Allow"
    }
  ]
}

0 讨论(0)