AWS managed polices: Lambda Basic Execution Role

The AWSLambdaBasicExecutionRole is an AWS managed policy, and one of the most common managed policies you should consider using, at least for quick development; it's the minimum amount of permissions to see what your AWS Lambda functions are doing, and without you won't get any logging output.

{
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}

Like all AWS managed policies, the main issue with this policy is that it's over-permissive. It allows putting log events (aka. lines) to any log group stream, not just a function's own log group. In practice this is not too much of an issue, since when you assign it to a Lambda function, you can trust the AWS Lambda service to do the right thing; if your function is directly putting events in to CloudWatch Logs, then it can put them in other functions' or services' log groups.

Turn off noisy function logging

Unfortunately, the only way to stop a Lambda function from logging is by taking away these permissions - there's no configuration option to stop a function logging. This is useful for noisy functions that might be driving up your CloudWatch costs, which can be one of the larger line items in a busy AWS environment.

You can see in the policy metadata in the trackiam repo that it was last updated in May 2015, shortly after the AWS Lambda service was launched in Novmeber 2014.