Frequently asked questions - AWS Lambda

Frequently asked questions

Why is a Lambda function not logging any output?

If a Lambda function is not logging to CloudWatch, first ensure that the function is being invoked by the caller. Check the logs of the calling service and any CloudWatch metrics that indicate an event has triggered the function. Next, check the CloudWatch Logs for the function. All Lambda functions log three lines, even if there is no other explicit logging in the custom code of the function:

            security ops figure 7

If there is no logging appearing in CloudWatch despite the function being invoked, check the permissions of the function. The IAM role must include logging permissions as described in the earlier section Access to CloudWatch Logs, or the function cannot write logs to the service.

How do you apply the principles of least privilege to Lambda functions with a VPC configuration?

Application Design explains why some Lambda functions must be configured with access to a customer’s VPC. In this case, you must ensure that you continue to apply the principles of least privilege in regard to the networking configuration. This includes security groups, and access via subnets, NACLs, and route tables. This ensures that traffic from the Lambda function can only reach its intended services and resources.