如何停止AWS Lambda功能以登录CloudWatch [英] How to stop AWS Lambda function to log on CloudWatch

问题描述

如果您有很多日志，则在CloudWatch上登录AWS Lambda可能会成为一笔巨大的隐性成本，因为无法告诉AWS停止在CloudWatch平台上登录. 我发现这样做的唯一方法是管理自定义IAM策略(与每个lambda相关联)，并明确拒绝访问 logs:... 操作:

AWS Lambda logging on CloudWatch may become an huge hidden cost if you have a lot of them, because there are no way to tell AWS to stop logging on CloudWatch platform. The only way I have found to do that is to manage a custom IAM policy (associated with every lambda) and explicitally deny access to the logs:... actions:

{
        "Sid": "DisableAllLogs",
        "Resource": "*",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Deny"
}

现在，我正在尝试细化该策略，仅允许一些lambda记录.为此，我使用了策略的条件参数:

Now I'm trying to fine graining the policy to let only some lambda to log. To do that I'm using the Condition parameters of the policy:

{
        "Sid": "EnableLogsForWantedLambdaTriggers",
        "Resource": "*",
        "Condition": {
            "ArnEquals": {
                "aws:SourceArn": "arn:aws:lambda:REGION:ACCOUNT-ID:function:FUNCTION-NAME"
            }
        },
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Allow"
}

，但不以这种方式将日志发送到CloudWatch.我认为源ARN是错误的，但我不知道找到正确的ARN.

but in this way no log is sent to CloudWatch. I think that the source ARN is wrong but I can't figure out to find the correct one.

有任何线索吗?

推荐答案

我发现一种可能的解决方法是将策略集中在资源上，而不是在操作的调用方ARN上.因此，如果我现在使用lambda logGroupName 和 logStreamName (并且现在始终是这些)，我只能允许记录器会对资源执行的操作>按照

A possible workaround that I've found is to focus the policy on resources instead on the caller ARN of the action. So, if I now the lambda logGroupName and logStreamName (and I always now these) I can Allow only the actions over the resource that the logger will create, following the documented naming convention:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "EnableLogsForWantedLambdaTriggers",
        "Resource": [
            "arn:aws:logs:<region>:<ID>:log-group:<logGroupName>:log-stream:<logStreamName>"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Allow"
    }
  ]
}

通过这种方式，我可以选择启用所需的lamda和/或(作用于流名称)所选功能版本($ LATEST，1、2，...).

in this way I have the choice to enable wanted lamda and/or (acting on stream name) selected function version ($LATEST, 1, 2, ...).

例如，下一个将仅启用该功能的开发版本，而忽略生产版本:

For example, the next will enable only the development version of the function ignoring the production ones:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "EnableLogsForWantedLambdaTriggers",
        "Resource": [
            "arn:aws:logs:<region>:<ID>:log-group:<logGroupName>:log-stream:*/*/*/[$LATEST]*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Effect": "Allow"
    }
  ]
}

这篇关于如何停止AWS Lambda功能以登录CloudWatch的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！