Lambda Gotcha: CloudWatch Logs Group Name

Hello! Today's post is a little "gotcha" that sometimes still gets me when I'm developing AWS lambda functions: if you want to stream the function's logs to CloudWatch the log group's name has to follow a specific convention. Suppose I'm creating a lambda function with this CloudFormation snippet: The key piece is this: When AWS … Continue reading Lambda Gotcha: CloudWatch Logs Group Name

CloudWatch Logs: Preventing Orphaned Log Groups

Hello! When you need to publish logs to CloudWatch (e.g. from a lambda function), you need an IAM role with access to CloudWatch. It's tempting to use a simple policy like the one in the AWS docs. You might write a CloudFormation template like this: Obviously, the role is too permissive: arn:aws:logs:*:*:* But, there's another … Continue reading CloudWatch Logs: Preventing Orphaned Log Groups