Lambda Gotcha: CloudWatch Logs Group Name


Today’s post is a little “gotcha” that sometimes still gets me when I’m developing AWS lambda functions: if you want to stream the function’s logs to CloudWatch the log group’s name has to follow a specific convention.

Suppose I’m creating a lambda function with this CloudFormation snippet:

  Type: AWS::Lambda::Function
      ZipFile: |
        import logging
        import cfnresponse

        def handler(event, context):
            logger = logging.getLogger()
                if event['RequestType'] == 'Delete':
                    cfnresponse.send(event, context, cfnresponse.SUCCESS, {})

      'It worked!')
                cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
            except Exception:
                logger.exception('Signaling failure to CloudFormation.')
                cfnresponse.send(event, context, cfnresponse.FAILED, {})
    FunctionName: custom-resource
    Handler: index.handler
    Role: !GetAtt ExecutionRole.Arn
    Runtime: python3.7
    Timeout: 30

The key piece is this:

FunctionName: custom-resource

When AWS lambda sends logs to CloudWatch, it assumes the target log group has a name like this:

/aws/lambda/[function name]

This isn’t configurable. If your log group’s name doesn’t follow this convention you won’t get logs from your lambda function.

So, in our case, we need a log group called /aws/lambda/custom-resource. In CloudFormation, we could create it like this:

  Type: AWS::Logs::LogGroup
    LogGroupName: /aws/lambda/custom-resource
    RetentionInDays: 30

The IAM role attached to your function of course still needs permissions to send logs, and there’s another gotcha there that can lead to orphaned log groups.

Hope this helps!


Need more than just this article? I’m available to consult.

You might also want to check out these related articles: