Why are Lambda@Edge CloudTrail logs not being delivered?

Last updated: 2022-07-29

I associated an AWS Lambda@Edge function with an Amazon CloudFront distribution as a trigger. I am unable to find the Lambda@Edge function's execution logs in Amazon CloudWatch populated in the AWS CloudTrail log stream. How can I troubleshoot why are they missing?

Lambda@Edge logs fail to populate if the AWS Identity and Access Management (IAM) role associated with the Lambda@Edge function lacks the required permission. Logs can also appear missing if you are checking the incorrect Region from the console.

Resolution

Check the permission for the IAM role associated with the Lambda@Edge function

Verify that the function execution role has the required permissions to create log groups and streams and put log events into any AWS Region. Log delivery will fail if the execution role associated with the Lambda function does not have required permissions.

An example IAM policy attached to the Lambda@Edge execution role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:*"
      ]
    }
  ]
}

For more information about the permissions required to send data to CloudWatch logs, see Setting IAM permissions and roles for Lambda@Edge.

Check the logs in the Region where the Lambda function was activated

When the Lambda@Edge function is activated, Lambda creates CloudWatch log streams in the AWS Region closest to the location where the function is activated. The log group name is formatted as /aws/lambda/us-east-1.function-name, where function-name is the name of the Lambda function.

To locate the Lambda@Edge function logs, you must determine which Region(s) the function is being invoked then view the logs.

To find the Region where the function was invoked:

  1. Log in to the AWS Management Console and open the CloudFront console.
  2. Choose Monitoring under the Telemetry category.
  3. Select the Lambda@Edge tab.
  4. Select the Lambda@Edge function, then choose View function metrics.

From the monitoring page we can now see which Regions our replica functions are being invoked during a specific time period. From here we can find the CloudWatch logs for our function in each region. To do this, select View function logs then selecting the Region where the function is being invoked.

Note: If you see errors in a particular Region, choose the Region showing errors in the graph. To learn more, see Determining the Lambda@Edge Region.

Or, to determine the Edge location where the request was routed to, check the x-amz-cf-pop response's header value. Then, check the corresponding Region in CloudWatch to see the log files. For example, if x-amz-cf-pop is set to IAD89-P1, it indicates that the request was served in us-east-1 Region where IAD is the airport code.

When Lambda returns a not invalid response to CloudFront, CloudFront pushes the error messages written to the log files. CloudFront then pushes to the CloudWatch Region where the Lambda function executed. Log groups have the following format: /aws/cloudfront/LambdaEdge/DistributionId, where DistributionId is the distribution’s ID. To find the Region where the CloudWatch log file is located, see Determining the Lambda@Edge Region.