如何停止AWS Lambda功能以登录CloudWatch [英] How to stop AWS Lambda function to log on CloudWatch
问题描述
如果您有很多日志,则在CloudWatch上登录AWS Lambda可能会成为一笔巨大的隐性成本,因为无法告诉AWS停止在CloudWatch平台上登录. 我发现这样做的唯一方法是管理自定义IAM策略(与每个lambda相关联),并明确拒绝访问 logs:... 操作:
AWS Lambda logging on CloudWatch may become an huge hidden cost if you have a lot of them, because there are no way to tell AWS to stop logging on CloudWatch platform. The only way I have found to do that is to manage a custom IAM policy (associated with every lambda) and explicitally deny access to the logs:... actions:
{
"Sid": "DisableAllLogs",
"Resource": "*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Deny"
}
现在,我正在尝试细化该策略,仅允许一些lambda记录.为此,我使用了策略的条件参数:
Now I'm trying to fine graining the policy to let only some lambda to log. To do that I'm using the Condition parameters of the policy:
{
"Sid": "EnableLogsForWantedLambdaTriggers",
"Resource": "*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:REGION:ACCOUNT-ID:function:FUNCTION-NAME"
}
},
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow"
}
,但不以这种方式将日志发送到CloudWatch.我认为源ARN是错误的,但我不知道找到正确的ARN.
but in this way no log is sent to CloudWatch. I think that the source ARN is wrong but I can't figure out to find the correct one.
有任何线索吗?
推荐答案
我发现一种可能的解决方法是将策略集中在资源上,而不是在操作的调用方ARN上.因此,如果我现在使用lambda logGroupName 和 logStreamName (并且现在始终是这些),我只能允许记录器会对资源执行的操作>按照
A possible workaround that I've found is to focus the policy on resources instead on the caller ARN of the action. So, if I now the lambda logGroupName and logStreamName (and I always now these) I can Allow only the actions over the resource that the logger will create, following the documented naming convention:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableLogsForWantedLambdaTriggers",
"Resource": [
"arn:aws:logs:<region>:<ID>:log-group:<logGroupName>:log-stream:<logStreamName>"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow"
}
]
}
通过这种方式,我可以选择启用所需的lamda和/或(作用于流名称)所选功能版本($ LATEST,1、2,...).
in this way I have the choice to enable wanted lamda and/or (acting on stream name) selected function version ($LATEST, 1, 2, ...).
例如,下一个将仅启用该功能的开发版本,而忽略生产版本:
For example, the next will enable only the development version of the function ignoring the production ones:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableLogsForWantedLambdaTriggers",
"Resource": [
"arn:aws:logs:<region>:<ID>:log-group:<logGroupName>:log-stream:*/*/*/[$LATEST]*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow"
}
]
}
这篇关于如何停止AWS Lambda功能以登录CloudWatch的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!