Debugging Tips¶
CloudWatch Logs Filters¶
KMS CMK Usage¶
The application provides some filters to find events for your KMS CMK ARN. Here are some additional filters to explore KMS calls in the application to understand how the key is being used.
Note that these filters will show all matching events, including for any other KMS keys in your account that are not being used in this workshop. If you want to scope it down to just the workshop’s ARN, add an additional constraint like the example KMS CMK constraint specified below.
Open the CloudWatch Logs console.
Filter for
GenerateDataKey
events:{ $.eventName = "GenerateDataKey" }
Filter for
Encrypt
events:{ $.eventName = "Encrypt" }
Filter for
Decrypt
events:{ $.eventName = "Decrypt" }
- Filter for events for a specific KMS CMK:
{ $.resources[0].ARN = "arn:aws:kms:us-east-2:<account>:key/<key>" }
Be sure to substitute the identifiers for account and key appropriately
- Filter for events for a specific KMS CMK:
Tip: use boolean operators
&&
and||
to combine clauses
Lambda Logs¶
If your Lambda is not behaving as you expect after deploying your updated application, you can find logs emitted by the Lambda in the CloudWatch Logs log group prefix of /aws/lambda.
Python Sanity Check¶
To sanity check your Python application before deployment, use flake8
to do a basic sanity check of syntax,
style, and imports.
tox -e flake8