cloudfriend icon indicating copy to clipboard operation
cloudfriend copied to clipboard

Published 20 hours ago verified publisher icon mapbox

Scope down log permissions in Lambda shortcut(s)

Open drboyer opened this issue 5 years ago • 1 comments

The Lambda shortcut in this repo currently grants logs:* access, i.e. access to all actions for the log group created by this shortcut:

https://github.com/mapbox/cloudfriend/blob/05aa50b75a6930329f7fb41b3fb21f6f5fe1fa8f/lib/shortcuts/lambda.js#L147-L151

While it's good that this permission is scoped to only the single log group resource, I wonder if we should scope down the actions Lambda functions have access to, by default? Based on other examples, it seems like the only actions required for typical log-writing functionality are:

'logs:CreateLogStream',
'logs:PutLogEvents',
'logs:DescribeLogStreams'

Any reasoning or discussion surrounding scoping down logs:* permissions?

/cc: @rclark @williamhammond

drboyer avatar Sep 13 '19 17:09 drboyer

:+1: I'd just run out a check that everything works as intended before merging. All the Lambda walkthroughs I've read tell you to assign logs:* on resource * (which is one reason to use this shortcut in the first place), though I think that if the log group already exists then you're right about only needing these 3 actions.

rclark avatar Sep 15 '19 23:09 rclark