Using CloudWatch Logs with Lambda
AWS Lambda automatically monitors Lambda functions on your behalf to help you troubleshoot failures in your functions. As long as your function's execution role has the necessary permissions, Lambda captures logs for all requests handled by your function and sends them to Amazon CloudWatch Logs.
You can insert logging statements into your code to help you validate that your code is working as expected. Lambda automatically integrates with CloudWatch Logs and sends all logs from your code to a CloudWatch logs group associated with a Lambda function.
By default, Lambda sends logs to a log group named /aws/lambda/<function name>
. If you want your function to send logs to another group, you can configure this using the Lambda console, the AWS Command Line Interface (AWS CLI) or the Lambda API.
See Configuring CloudWatch log groups to learn more.
You can view logs for Lambda functions using the Lambda console, the CloudWatch console, the AWS Command Line Interface (AWS CLI), or the CloudWatch API.
Note
It may take 5 to 10 minutes for logs to show up after a function invocation.
Required IAM permissions
Your execution role needs the following permissions to upload logs to CloudWatch Logs:
-
logs:CreateLogGroup
-
logs:CreateLogStream
-
logs:PutLogEvents
To learn more, see Using identity-based policies (IAM policies) for CloudWatch Logs in the Amazon CloudWatch User Guide.
You can add these CloudWatch Logs permissions using the AWSLambdaBasicExecutionRole
AWS managed policy provided by Lambda. To add this policy to your role, run the following command:
aws iam attach-role-policy --role-name your-role
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
For more information, see Working with AWS managed policies in the execution role.
Pricing
There is no additional charge for using Lambda logs; however, standard CloudWatch Logs charges apply. For more information, see CloudWatch pricing.