AWS Certified Security – Specialty — Question 502

An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?

Answer options

• A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
• B. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
• C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
• D. The version of the Lambda function that was executed was not current.

Correct answer: A

Explanation

For an AWS Lambda function to successfully write logs to Amazon CloudWatch Logs, its execution role must be granted permissions to create log groups, create log streams, and put log events (typically via the AWSLambdaBasicExecutionRole policy). Without these permissions, the Lambda service cannot send log data to CloudWatch. The other options are incorrect because API Gateway integrations do not bypass Lambda logging, CloudWatch Logs does not require Lambda-to-S3 write permissions for standard logging, and invoking older versions of a function still generates logs.