more specific resources in iam policies

2026-01-15 15:31:23 -05:00
parent 942867d94c
commit c6b531d12a
2 changed files with 14 additions and 6 deletions
--- a/infrastructure/cdk/lib/condition-check-lambda-stack.ts
+++ b/infrastructure/cdk/lib/condition-check-lambda-stack.ts
@@ -88,7 +88,7 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
      description: "Execution role for Condition Check Reminder Lambda",
    });

-    // CloudWatch Logs permissions
+    // CloudWatch Logs permissions - scoped to this Lambda's log group
    lambdaRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
@@ -97,16 +97,21 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
          "logs:CreateLogStream",
          "logs:PutLogEvents",
        ],
-        resources: ["*"],
+        resources: [
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/condition-check-reminder-${environment}`,
+          `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/condition-check-reminder-${environment}:*`,
+        ],
      })
    );

-    // SES permissions for sending emails
+    // SES permissions for sending emails - scoped to verified identity
    lambdaRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ["ses:SendEmail", "ses:SendRawEmail"],
-        resources: ["*"],
+        resources: [
+          `arn:aws:ses:${this.region}:${this.account}:identity/${sesFromEmail}`,
+        ],
      })
    );