Menu
Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Programming Model for Logs

You can create logging statements for your Lambda function, which Lambda@Edge then writes to CloudWatch. The following Node.js statements generate log entries:

  • console.log()

  • console.error()

  • console.warn()

  • console.info()

The following example shows how to create a log:

Copy
'use strict'; exports.handler = (event, context, callback) => { const response = event.Records[0].cf.response; const headers = response.headers; const headerName = 'Last-Modified'; if (headers[headerName]) { console.log(`Header value for "${headerName}" to "${headers[headerName]}"`); } callback(null, response); };

This logs the value of the desired header in CloudWatch Logs.

Note

You must explicitly enable the logging function to record logs when using Lambda@Edge. This is different than the way that Lambda logging works.

Enabling Logs

IAM roles that are associated with your Lambda function should at a minimum grant permissions to CloudWatch Logs operations. Lambda simplifies that process by providing AWS managed permission policies. For more information, see Lambda Permissions Model in the AWS Lambda Developer Guide.

Make sure that the role that is associated with your Lambda function is assumable with edgelambda.amazonaws.com as well as lambda.amazonaws.com principals. The following example shows a role trust policy:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "edgelambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

You can use either the console to edit the trust policy of the role or the AWS CLI to update the role policy. For more information about roles, see Modifying a Role in the IAM User Guide.

Note that the following example assumes that the only trusted services are Lambda and Lambda@Edge, and will override your trust policy with the example policy document. If you have other trusted services or entities for your role, include them in the policy-document argument.

The following example shows how to create a log:

Copy
'use strict'; exports.handler = (event, context, callback) => { const response = event.Records[0].cf.response; const headers = response.headers; const headerName = 'Last-Modified'; if (headers[headerName]) { console.log(`Header value for "${headerName}" to "${headers[headerName]}"`); } callback(null, response); };

This logs the value of the desired header in the CloudWatch logs:

Copy
aws iam update-assume-role-policy --role-name <customer's role name associated with the lambda function> --policy-document '{ "Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "edgelambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }'

Logging Limits

There are limits to the logging that Lambda@Edge can provide. Lambda@Edge does the following:

  • Throttles logs based on the request volume and amount of bytes logged.

  • Logs the last 4 KB of logs produced by a single invocation. The rest are truncated.

Your CloudWatch logging limits apply. For more details about CloudWatch logging limits, see CloudWatch Logs Limits in the Amazon CloudWatch User Guide.

Finding Logs in CloudWatch

Logs that are produced by your Lambda function are grouped in CloudWatch with the same name as the function name in the function's region.