AWS 为 Lambda 创建 Cloudformation 日志警报

Posted

技术标签:

【中文标题】AWS 为 Lambda 创建 Cloudformation 日志警报【英文标题】:AWS Create Cloudformation log alert for Lambda 【发布时间】:2018-01-24 02:15:17 【问题描述】:

如果 Lambda 函数出现问题,尤其是当 lambda 抛出异常时,我想创建一个警报。我计划配置 SNS 主题以在触发警报时发送消息。

所有 lambdas 都是使用 CloudFormation 脚本创建的,因此我正在搜索 CloudFormation 模板来配置 CloudWatch 日志上的警报。我无法找到一个好的/工作的样本。示例代码如下。


  "AWSTemplateFormatVersion" : "2010-09-09",
  "Description" : "AWS CloudTrail API Activity Alarm Template for CloudWatch Logs",
  "Parameters" : 
      "LogGroupName" : 
          "Type" : "String",
          "Default" : "CloudTrail/DefaultLogGroup",
          "Description" : "Enter CloudWatch Logs log group name. Default is CloudTrail/DefaultLogGroup"
      ,
      "Email" : 
          "Type" : "String",
          "Description" : "Email address to notify when an API activity has triggered an alarm"
      
  ,
  "Resources" : 
    "SecurityGroupChangesAlarm": 
      "Type": "AWS::CloudWatch::Alarm",
      "Properties": 
          "AlarmName" : "CloudTrailSecurityGroupChanges",
          "AlarmDescription" : "Alarms when an API call is made to create, update or delete a Security Group.",
          "AlarmActions" : [ "Ref" : "AlarmNotificationTopic" ],
          "MetricName" : "SecurityGroupEventCount",
          "Namespace" : "CloudTrailMetrics",
          "ComparisonOperator" : "GreaterThanOrEqualToThreshold",
          "EvaluationPeriods" : "1",
          "Period" : "300",
          "Statistic" : "Sum",
          "Threshold" : "1"
      
    ,

    "AlarmNotificationTopic": 
      "Type": "AWS::SNS::Topic",
      "Properties": 
          "Subscription": [
              
                  "Endpoint":  "Ref": "Email" ,
                  "Protocol": "email"
              
          ]

【问题讨论】:

【参考方案1】:

为此,我们需要使用 FilterPattern: "Exception" 在日志组上为该 lambda 创建订阅过滤器

因此,每当日志消息中出现异常词时,它都会触发监视器 lambda。

以下是我写的YAML中的cloudformation模板

Resources:
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      Policies:
        - PolicyName: 'AllowLambdaAccess'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Effect: "Allow"
                Resource:
                  Fn::Join:
                    - ''
                    - - 'arn:aws:logs:'
                      - Ref: AWS::Region
                      - ':'
                      - Ref: AWS::AccountId
                      - ':log-group:/aws/lambda/*'
              - Action:
                  - ec2:DescribeNetworkInterfaces
                  - ec2:CreateNetworkInterface
                  - ec2:DeleteNetworkInterface
                Effect: "Allow"
                Resource: "*"
      RoleName: !Sub "$AWS::StackName-LambdaExecutionRole"
  SubscriptionFilter: 
    Type: "AWS::Logs::SubscriptionFilter"
    DependsOn: "LambdaInvokePermission"
    Properties: 
      LogGroupName: !Sub "/aws/lambda/$LogGroupName"
      FilterPattern: "Exception"
      DestinationArn: 
        Fn::GetAtt: 
          - "LambdaFunction"
          - "Arn"
  LambdaFunction:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        S3Bucket: !Ref S3BucketName
        S3Key: !Ref ZipFile
      Description: Monitor Lambda Function
      Handler: 'index.handler'
      MemorySize: 1536
      Role: !GetAtt 
        - LambdaExecutionRole
        - Arn
      Runtime: nodejs6.10  
      Environment:
        Variables:
          SMTP_SERVER: !Ref SMTPServer
          SMTP_PORT: !Ref SMTPPort
          EMAIL_FROM: !Ref FromEmail
          EMAIL_TO: !Ref ToEmail
      Timeout: 300
      FunctionName: !Sub "$AWS::StackName-LambdaFunction"
      VpcConfig:
        SecurityGroupIds: !Split [ ",", !Ref SecurityGroupId ]
        SubnetIds: !Split [ ",", !Ref SubnetIds ]
    DependsOn:
      - LambdaExecutionRole
  LambdaInvokePermission: 
      Type: AWS::Lambda::Permission
      Properties:
        FunctionName: !Ref "LambdaFunction"
        Action: "lambda:InvokeFunction"
        Principal: !Sub "logs.$AWS::Region.amazonaws.com"
        SourceArn:  
            Fn::Join:
                - ''
                - - 'arn:aws:logs:'
                  - Ref: AWS::Region
                  - ':'
                  - Ref: AWS::AccountId
                  - !Sub ':log-group:/aws/lambda/$LogGroupName*'

【讨论】:

以上是关于AWS 为 Lambda 创建 Cloudformation 日志警报的主要内容,如果未能解决你的问题,请参考以下文章

AWS Lambda 别名简介

AWS CloudFormation:如何从另一个AWS账户为Lambda代码指定存储桶?

是否可以使用 AWS API 为 Lambda 函数设置 AWS API Gateway 端点?

为 Scala AWS Lambda 使用 Proguard

为 aws lambda 构建节点模块

Python AWS Lambda 为每个部署旋转到 RDS 的新连接