From c6b531d12a30e07ad88dc909586025fbfc09cebf Mon Sep 17 00:00:00 2001
From: jackiettran <41605212+jackiettran@users.noreply.github.com>
Date: Thu, 15 Jan 2026 15:31:23 -0500
Subject: [PATCH] more specific resources in iam policies

---
 .../cdk/lib/condition-check-lambda-stack.ts         | 13 +++++++++----
 .../cdk/lib/image-processor-lambda-stack.ts         |  7 +++++--
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/infrastructure/cdk/lib/condition-check-lambda-stack.ts b/infrastructure/cdk/lib/condition-check-lambda-stack.ts
index ba1e644..0f8bcb7 100644
--- a/infrastructure/cdk/lib/condition-check-lambda-stack.ts
+++ b/infrastructure/cdk/lib/condition-check-lambda-stack.ts
@@ -88,7 +88,7 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
       description: "Execution role for Condition Check Reminder Lambda",
     });
 
-    // CloudWatch Logs permissions
+    // CloudWatch Logs permissions - scoped to this Lambda's log group
     lambdaRole.addToPolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
@@ -97,16 +97,21 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
           "logs:CreateLogStream",
           "logs:PutLogEvents",
         ],
-        resources: ["*"],
+        resources: [
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/condition-check-reminder-${environment}`,
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/condition-check-reminder-${environment}:*`,
+        ],
       })
     );
 
-    // SES permissions for sending emails
+    // SES permissions for sending emails - scoped to verified identity
     lambdaRole.addToPolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
         actions: ["ses:SendEmail", "ses:SendRawEmail"],
-        resources: ["*"],
+        resources: [
+          `arn:aws:ses:${this.region}:${this.account}:identity/${sesFromEmail}`,
+        ],
       })
     );
 
diff --git a/infrastructure/cdk/lib/image-processor-lambda-stack.ts b/infrastructure/cdk/lib/image-processor-lambda-stack.ts
index 1072396..19d1ffd 100644
--- a/infrastructure/cdk/lib/image-processor-lambda-stack.ts
+++ b/infrastructure/cdk/lib/image-processor-lambda-stack.ts
@@ -113,7 +113,7 @@ export class ImageProcessorLambdaStack extends cdk.Stack {
       description: "Execution role for Image Processor Lambda",
     });
 
-    // CloudWatch Logs permissions
+    // CloudWatch Logs permissions - scoped to this Lambda's log group
     lambdaRole.addToPolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
@@ -122,7 +122,10 @@ export class ImageProcessorLambdaStack extends cdk.Stack {
           "logs:CreateLogStream",
           "logs:PutLogEvents",
         ],
-        resources: ["*"],
+        resources: [
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/image-processor-${environment}`,
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/image-processor-${environment}:*`,
+        ],
       })
     );