The Lambda shortcut in this repo currently grants logs:* access, i.e. access to all actions for the log group created by this shortcut:
|
Effect: 'Allow', |
|
Action: 'logs:*', |
|
Resource: { |
|
'Fn::GetAtt': [`${LogicalName}Logs`, 'Arn'] |
|
} |
While it's good that this permission is scoped to only the single log group resource, I wonder if we should scope down the actions Lambda functions have access to, by default? Based on other examples, it seems like the only actions required for typical log-writing functionality are:
'logs:CreateLogStream',
'logs:PutLogEvents',
'logs:DescribeLogStreams'
Any reasoning or discussion surrounding scoping down logs:* permissions?
/cc: @rclark @williamhammond
The Lambda shortcut in this repo currently grants
logs:*access, i.e. access to all actions for the log group created by this shortcut:cloudfriend/lib/shortcuts/lambda.js
Lines 147 to 151 in 05aa50b
While it's good that this permission is scoped to only the single log group resource, I wonder if we should scope down the actions Lambda functions have access to, by default? Based on other examples, it seems like the only actions required for typical log-writing functionality are:
Any reasoning or discussion surrounding scoping down
logs:*permissions?/cc: @rclark @williamhammond