Create a policy to be able to write logs and push metrics to CloudWatch:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/, if you're not signed in already.
- In the IAM navigation pane, choose Policies.
- Choose Create policies.
- Choose the JSON tab.
- Type or copy and paste the following JSON document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
}
The main idea of this policy is to allow the Lambda function to create CloudWatch log groups and streams, and to add the log events into those streams and then describe them. I've also added another statement that allows you to put metrics, which is required if you want to push custom monitor metrics.
- Choose Review Policy.
- On Review Policy, type lambda-cloud-write for the name.
- Choose Create Policy.