diff --git a/infrastructure/cdk/lib/condition-check-lambda-stack.ts b/infrastructure/cdk/lib/condition-check-lambda-stack.ts
index ba1e644..0f8bcb7 100644
--- a/infrastructure/cdk/lib/condition-check-lambda-stack.ts
+++ b/infrastructure/cdk/lib/condition-check-lambda-stack.ts
@@ -88,7 +88,7 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
       description: "Execution role for Condition Check Reminder Lambda",
     });
 
-    // CloudWatch Logs permissions
+    // CloudWatch Logs permissions - scoped to this Lambda's log group
     lambdaRole.addToPolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
@@ -97,16 +97,21 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
           "logs:CreateLogStream",
           "logs:PutLogEvents",
         ],
-        resources: ["*"],
+        resources: [
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/condition-check-reminder-${environment}`,
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/condition-check-reminder-${environment}:*`,
+        ],
       })
     );
 
-    // SES permissions for sending emails
+    // SES permissions for sending emails - scoped to verified identity
     lambdaRole.addToPolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
         actions: ["ses:SendEmail", "ses:SendRawEmail"],
-        resources: ["*"],
+        resources: [
+          `arn:aws:ses:${this.region}:${this.account}:identity/${sesFromEmail}`,
+        ],
       })
     );
 
diff --git a/infrastructure/cdk/lib/image-processor-lambda-stack.ts b/infrastructure/cdk/lib/image-processor-lambda-stack.ts
index 1072396..19d1ffd 100644
--- a/infrastructure/cdk/lib/image-processor-lambda-stack.ts
+++ b/infrastructure/cdk/lib/image-processor-lambda-stack.ts
@@ -113,7 +113,7 @@ export class ImageProcessorLambdaStack extends cdk.Stack {
       description: "Execution role for Image Processor Lambda",
     });
 
-    // CloudWatch Logs permissions
+    // CloudWatch Logs permissions - scoped to this Lambda's log group
     lambdaRole.addToPolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
@@ -122,7 +122,10 @@ export class ImageProcessorLambdaStack extends cdk.Stack {
           "logs:CreateLogStream",
           "logs:PutLogEvents",
         ],
-        resources: ["*"],
+        resources: [
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/image-processor-${environment}`,
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/image-processor-${environment}:*`,
+        ],
       })
     );