Merge pull request #1 from bbc/restrict-logs-perm

pclifford · pclifford · commit 7a0604c8c72b · 2016-05-10T12:16:13.000+01:00
Restrict CW logs permissions to bare minimum
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 *.py?
 lambda-monkey.zip
 venv
+.DS_Store
diff --git a/cloudformation/src/lambda.py b/cloudformation/src/lambda.py
@@ -25,7 +25,9 @@
             {
                 "Effect": "Allow",
                 "Action": [
-                    "logs:*",
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents"
                 ],
                 "Resource": "arn:aws:logs:*:*:*"
             },
diff --git a/cloudformation/templates/lambda.json b/cloudformation/templates/lambda.json
@@ -68,7 +68,9 @@
                             "Statement": [
                                 {
                                     "Action": [
-                                        "logs:*"
+                                        "logs:CreateLogGroup",
+                                        "logs:CreateLogStream",
+                                        "logs:PutLogEvents"
                                     ],
                                     "Effect": "Allow",
                                     "Resource": "arn:aws:logs:*:*:*"
