I want to add a cloudwatch subscription to a AWS lambda logs thereby making my AWS lambda triggered by cloudwatch logs. What permissions should I add to the role which lambda is using to enable this?
1 Answers
1
votes
Your Lambda will by default have access to CloudWatch to write logs (with the default AWSLambdaBasicExecutionRole), however if you want to manually add it this is the policy with the required permissions:
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
},
"name": "AWSLambdaBasicExecutionRole",
"id": "xxxxx",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
Lambda function policy for CloudWatch event trigger on Lambda:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "uuid",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:invokeFunction",
"Resource": "arn:aws:lambda:us-east-x:xxxxxxxxxxxx:function:LambdaFunction",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:events:us-east-x:xxxxxxxxxxxx:rule/CloudWatchRule"
}
}
}
]
}
