Access to production logs (in CloudWatch logs and Stackdriver logs in production GCP projects) is currently too wide. Access should be restricted, probably just to DCP security leads.
Approach
[ ] MUST Configure dcp-infra to restrict read, write, and delete access to AWS CloudWatch production logs
[ ] STRETCH GOAL - put GCP projects into dcp-infra and restrict same permissions to GCP StackDriver logs
Need
Access to production logs (in CloudWatch logs and Stackdriver logs in production GCP projects) is currently too wide. Access should be restricted, probably just to DCP security leads.
Approach
dcp-infra
to restrict read, write, and delete access to AWS CloudWatch production logsdcp-infra
and restrict same permissions to GCP StackDriver logs