Disable CloudWatch to monitor logs for Lambda function

Question

Is there any possible way to disable CloudWatch to log Lambda Function's events? If possible, then what are the steps to do this.

Looks like using a policy to block access would work? https://stackoverflow.com/questions/39208258/how-to-stop-aws-lambda-function-to-log-on-cloudwatch — Jorg Roper, Jul 04 '18 at 06:20

Vijay · Answer 1 · 2022-02-02T07:29:19.983

20

There is no flag/toggle/switch or a direct way to disable the CloudWatch logs for a lambda function. One workaround is you can add the following inline policy to your role to disable the CloudWatch logs.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Deny",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": [
            "arn:aws:logs:*:*:*"
        ]
    }
  ]
}

You can change the "Deny" to "Allow" when you require logging again.

See for more details.

edited Feb 02 '22 at 07:29

answered Jan 09 '20 at 13:39

Vijay

558
6
22

1

Does anyone one know if this `Deny` effect has any averse side effects? i.e. does AWS have a limit to these deny attempts / calls? – James Maguire Nov 15 '21 at 08:45
I don't think so. There is a limit on the number of calls you can make to all of the AWS APIs in general though, as long as you're not exceeding that you'll be OK. – Luke Feb 08 '22 at 23:49

score 19 · Accepted Answer · answered Jul 04 '18 at 06:22

19

As per my understanding log output is generated by as a default behavior if you do any tests with lambda function. However, the logs are stored in CloudWatch log group only if your lambda role has permission to write to CloudWatch.

answered Jul 04 '18 at 06:22

lohith

216
2
5

Thanks for showing direction. I will make changes in lambda role to deny writing logs to CloudWatch. – Richa Sharma Jul 04 '18 at 07:02

Disable CloudWatch to monitor logs for Lambda function

2 Answers2

Linked