如果您拥有大量的AWS Lambda登录CloudWatch可能会成为巨大的隐藏成本,因为无法告诉AWS停止登录CloudWatch平台.我发现这样做的唯一方法是管理自定义IAM策略(与每个lambda关联)并明确拒绝访问日志:... actions:
{
"Sid": "DisableAllLogs",
"Resource": "*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Deny"
}
现在我正在尝试对策略进行细化,只允许一些lambda记录.为此,我正在使用策略的Condition参数:
{
"Sid": "EnableLogsForWantedLambdaTriggers",
"Resource": "*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:REGION:ACCOUNT-ID:function:FUNCTION-NAME"
}
},
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow"
}
但是这样就没有日志发送到CloudWatch.我认为源ARN是错误的,但我无法找到正确的.
有线索吗?