Scope down log permissions in Lambda shortcut(s)

[drboyer]

The Lambda shortcut in this repo currently grants logs:* access, i.e. access to all actions for the log group created by this shortcut:

cloudfriend/lib/shortcuts/lambda.js

Lines 147 to 151 in 05aa50b

	Effect: 'Allow',
	Action: 'logs:*',
	Resource: {
	'Fn::GetAtt': [`${LogicalName}Logs`, 'Arn']
	}

While it's good that this permission is scoped to only the single log group resource, I wonder if we should scope down the actions Lambda functions have access to, by default? Based on other examples, it seems like the only actions required for typical log-writing functionality are:

'logs:CreateLogStream',
'logs:PutLogEvents',
'logs:DescribeLogStreams'

Any reasoning or discussion surrounding scoping down logs:* permissions?

/cc: @rclark @williamhammond

[rclark]

👍 I'd just run out a check that everything works as intended before merging. All the Lambda walkthroughs I've read tell you to assign logs:* on resource * (which is one reason to use this shortcut in the first place), though I think that if the log group already exists then you're right about only needing these 3 actions.