Restrict log access (#71)

service-cloud-voice · Jun 26, 2024 · 35c4a06 · 35c4a06
1 parent c13e0d2
commit 35c4a06
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/iam_policies/SCVProvisioningPolicy.json b/iam_policies/SCVProvisioningPolicy.json
@@ -6,12 +6,18 @@
             "Effect": "Allow",
             "Action": [
                 "ds:*",
-                "logs:*",
+                "logs:DescribeLogGroups",
                 "lambda:GetEventSourceMapping",
                 "kms:CreateKey"
             ],
             "Resource": "*"
         },
+        {
+            "Sid": "LogsAccess",
+            "Effect": "Allow",
+            "Action": "logs:*",
+            "Resource": "arn:aws:logs:*:<AWS_ACCOUNT_ID>:log-group:*scvbyoaaccesscloudwatchloggroup*"
+        },
         {
             "Sid": "EventsAccess",
             "Effect": "Allow",
@@ -218,4 +224,4 @@
             ]
         }
     ]
-}
+}