Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more specific resources in iam policies

Browse Source
This commit is contained in:
jackiettran
2026-01-15 15:31:23 -05:00
parent 942867d94c
commit c6b531d12a
2 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
infrastructure/cdk/lib/condition-check-lambda-stack.ts
View File

@@ -88,7 +88,7 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
description: "Execution role for Condition Check Reminder Lambda", description: "Execution role for Condition Check Reminder Lambda",
}); });
// CloudWatch Logs permissions // CloudWatch Logs permissions - scoped to this Lambda's log group
lambdaRole.addToPolicy( lambdaRole.addToPolicy(
new iam.PolicyStatement({ new iam.PolicyStatement({
effect: iam.Effect.ALLOW, effect: iam.Effect.ALLOW,
@@ -97,16 +97,21 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
"logs:CreateLogStream", "logs:CreateLogStream",
"logs:PutLogEvents", "logs:PutLogEvents",
], ],
resources: ["*"], resources: [
`arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/condition-check-reminder-${environment}`,
`arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/condition-check-reminder-${environment}:*`,
],
}) })
); );
// SES permissions for sending emails // SES permissions for sending emails - scoped to verified identity
lambdaRole.addToPolicy( lambdaRole.addToPolicy(
new iam.PolicyStatement({ new iam.PolicyStatement({
effect: iam.Effect.ALLOW, effect: iam.Effect.ALLOW,
actions: ["ses:SendEmail", "ses:SendRawEmail"], actions: ["ses:SendEmail", "ses:SendRawEmail"],
resources: ["*"], resources: [
`arn:aws:ses:${this.region}:${this.account}:identity/${sesFromEmail}`,
],
}) })
); );

7
infrastructure/cdk/lib/image-processor-lambda-stack.ts
View File

@@ -113,7 +113,7 @@ export class ImageProcessorLambdaStack extends cdk.Stack {
description: "Execution role for Image Processor Lambda", description: "Execution role for Image Processor Lambda",
}); });
// CloudWatch Logs permissions // CloudWatch Logs permissions - scoped to this Lambda's log group
lambdaRole.addToPolicy( lambdaRole.addToPolicy(
new iam.PolicyStatement({ new iam.PolicyStatement({
effect: iam.Effect.ALLOW, effect: iam.Effect.ALLOW,
@@ -122,7 +122,10 @@ export class ImageProcessorLambdaStack extends cdk.Stack {
"logs:CreateLogStream", "logs:CreateLogStream",
"logs:PutLogEvents", "logs:PutLogEvents",
], ],
resources: ["*"], resources: [
`arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/image-processor-${environment}`,
`arn:aws:logs:${this.region}:${this.account}:log-group:/aws/lambda/image-processor-${environment}:*`,
],
}) })
); );