CreateLogGroup & PutLogEvents policies are getting too large

Hello folks!

I hope you could help me here. Recently I hit the 10240 byte IAM role policy limit when deploying my stack. I was inspecting the generated template and I observed that the CreateLogGroup and PutLogEvents clauses are large because they list all of the functions in my stack. For example:

          "Effect": "Allow",
          "Action": [
          "Resource": [
              "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/foo-function:*"
              "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bar-function:*"

I think I read somewhere that it adds an explicit entry in the Resources section for each function in my stack because I explicitly name them. Above is just an example, but I have over 20 functions and this makes the policy very large since the same happens with PutLogEvents.

Is there a way to avoid this? For example, can I tell the framework to not create this part of the policy so that I can create it manually? I looked everywhere and could not find anything useful.

Any advice is welcome and will be greatly appreciated.

Best regards,

  • mess

Have a look at Custom IAM Roles in the Serverles documentation.
There you can get very detailed and control every aspect of your IAM permissions.

Hope it helps.

1 Like

That works for me. Thanks a lot!

1 Like