Question 10
Domain 2: Security Logging and MonitoringAn AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs create^ by the Lambda function in Amazon CloudWatch Logs. Which of the following explains why the logs are not available?
Correct answer: A
Explanation
AWS Lambda writes function logs to Amazon CloudWatch Logs only when its execution role allows log delivery. If the role lacks permissions to "write log data to CloudWatch Logs," the function can still run, but no logs are created there, so the engineer cannot find invocation or output records.
Why each option is right or wrong
A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
Under the AWS Lambda logging model, the function’s execution role must allow CloudWatch Logs delivery actions such as logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents; without those permissions, Lambda can still invoke and complete the code path, but it cannot publish the invocation/output records to CloudWatch Logs. In this fact pattern, the absence of any log stream is explained by missing log-write permissions in the execution role, not by the function’s behavior or the investigator’s search method.
B. The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
API Gateway can invoke Lambda, but Lambda execution logs are still generally sent to CloudWatch Logs.
C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
CloudWatch Logs is the logging service; Lambda does not write its standard logs directly to an S3 bucket.
D. The version of the Lambda function that was invoked was not current.
Invoking a noncurrent version affects code selection, not whether CloudWatch logging works.