Skip to content
/ aws-amplify-logs-s3-lambda-v2 Public
forked from lewis262626/AmplifyLogsToS3

AWS Lambda function to export AWS Amplify Access Logs into S3 bucket

License

MIT license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sar/aws-amplify-logs-s3-lambda-v2

BranchesTags
 
 

Repository files navigation

AmplifyLogsToS3 v2

An updated v2 of AWS Lambda Function to parse and export AWS Amplify Access Logs onto an S3 bucket. Reads JSON parameters from request event body to allow usage across multiple AWS Amplify deployments, buckets, and regions.

Build

To build this project from source, Makefile is included with build and publish targets.

  1. Restore dependencies with make deps to get started.
  2. Clone .env to set deployment name for an existing function. Create a new Lambda function using the AWS CLI before proceeding.
  3. Run make to build and publish artifacts to AWS Lambda.

See deployment steps below for IAM and CloudWatch task configuration.

Request Format

Parameters required to execute lambda function.

{
    "task": {
        "region": "us-east-1",
        "s3_bucket": "bucket-name",
        "domain_name": "amplify-domain-name",
        "app_id": "amplify-app-id"
    }
}

AWS IAM Role Policy

Role policy can be customized and limited to s3://bucket/prefix using ArnLike: sourceArn of running instance. The default policy uses full access and should only be used for AWS Lambda functions on a private subnet without an attached domain.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSAmplifyAccessLogsExporter", "Effect": "Allow", "Action": "amplify:*", "Resource": "*" } ] }

Deployment of lambda requires attaching S3FullAccess and AWSLambdaBasicExecutionPolicy to IAM lambda execution role. Permission scopes should be limited appropriately.

Lambda Requirements

  1. 128MB RAM
  2. 2 minute timeout

CloudWatch CRON Task

Lambda function can be executed automatically every X hours using the following example CRON task. Rules can be created using template provided below, replace parameters rule-name account-id and rule-id json-payload appropriately.

> aws events list-rules
{
    "Rules": [
        {
            "Name": "rule-name",
            "Arn": "arn:aws:events:us-east-1:account-id:rule/rule-name",
            "State": "ENABLED",
            "ScheduleExpression": "cron(0 12 * * ? *)",
            "EventBusName": "default"
        }
    ]
}
> aws events list-targets-by-rule --rule rule_name 
{
    "Targets": [
        {
            "Id": "rule_id",
            "Arn": "arn:aws:lambda:us-east-1:account-id:function:lambda-function-name",
            "Input": "json-payload"
        }
    ]
}

Specify json-payload as an inline string for CloudWatch, see params.json for reference to execute the Lambda function.

Replicate the task in CloudWatch > Events > Rules for every AWS Amplify service to collect and publish logs.

LICENSE

This project is published under the MIT license, for more information refer to LICENSE.

About

AWS Lambda function to export AWS Amplify Access Logs into S3 bucket

Topics

python aws lambda cloud cron aws-lambda aws-s3 logging lambda-functions s3 cloudwatch amplify cloudnative aws-amplify

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages

  • Python 63.9%
  • JavaScript 20.8%
  • Makefile 11.6%
  • Shell 3.7%