AWS-Lambda Cloudfront日志

Question

当在测试之外发生请求时，我很难获取日志以打印任何内容。 测试不会正确记录日志，但不能记录实际请求。

我读到您需要在IAM配置文件上添加正确的权限。 这就是我的个人资料现在的样子。

---

政策：

AWSLambdaFullAccess

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:*",
                "cognito-identity:ListIdentityPools",
                "cognito-sync:GetCognitoEvents",
                "cognito-sync:SetCognitoEvents",
                "dynamodb:*",
                "events:*",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:PassRole",
                "kinesis:DescribeStream",
                "kinesis:ListStreams",
                "kinesis:PutRecord",
                "lambda:*",
                "logs:*",
                "s3:*",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "sns:Subscribe",
                "sns:Unsubscribe",
                "sns:Publish",
                "sqs:ListQueues",
                "sqs:SendMessage",
                "tag:GetResources",
                "kms:ListAliases",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "iot:GetTopicRule",
                "iot:ListTopicRules",
                "iot:CreateTopicRule",
                "iot:ReplaceTopicRule",
                "iot:AttachPrincipalPolicy",
                "iot:AttachThingPrincipal",
                "iot:CreateKeysAndCertificate",
                "iot:CreatePolicy",
                "iot:CreateThing",
                "iot:ListPolicies",
                "iot:ListThings",
                "iot:DescribeEndpoint",
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": "*"
        }
    ]
}

AWSLambdaVPCAccessExecutionRole

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
        }
    ]
}

信任关系：

身份提供者edgelambda.amazonaws.com

身份提供者lambda.amazonaws.com

---

我想念什么？ 为什么不会真正向Cloudfront日志发送请求？ 当我尝试从cloudfront发行版中获取内容时，我可以看到lambda函数正在运行。

Answer 1

请在以下政策中附加您现有的角色，

 { "Version": "2012-10-17", "Statement": [ { "Sid": "YOUR_SID", "Effect": "Allow", "Action": ["cloudfront:*"], "Resource": "*" } ] } 

Sid或语句ID是可选的。

值得一看http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/access-control-managing-permissions.html