Use the AWS CLI to enable Lambda Insights on an existing Lambda function

Follow these steps to use the AWS CLI to enable Lambda Insights on an existing Lambda function.

Step 1: Update function permissions

To update the function's permissions

Attach the CloudWatchLambdaInsightsExecutionRolePolicy managed IAM policy to the function's execution role by entering the following command.


aws iam attach-role-policy \
--role-name function-execution-role \
--policy-arn "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"

Step 2: Install the Lambda extension

Install the Lambda extension by entering the following command. Replace the ARN value for the layers parameter with the ARN matching your Region and the extension version that you want to use. For more information, see Available versions of the Lambda Insights extension.


aws lambda update-function-configuration \
   --function-name function-name \
   --layers "arn:aws:lambda:us-west-1:580247275435:layer:LambdaInsightsExtension:14"

Step 3: Enable the CloudWatch Logs VPC endpoint

This step is necessary only for functions running in a private subnet with no internet access, and if you have not already configured a CloudWatch Logs virtual private cloud (VPC) endpoint.

If you need to do this step, enter the following command, replacing the placeholders with information for your VPC.

For more information, see Using CloudWatch Logs with Interface VPC Endpoints.


aws ec2 create-vpc-endpoint \
--vpc-id vpcId \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.region.logs \
--subnet-id subnetId 
--security-group-id securitygroupId

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using the console to enable Lambda Insights on an existing Lambda function

Use the AWS SAM CLI to enable Lambda Insights on an existing Lambda function