As an Observability Platform product engineer
I want my AWS Lambda functions to follow prescribed best practice from static analysis providers
So that we have a healthy and secure codebase
Value / Purpose
Grafana API key rotator's IAM role (via Terraform module) has wildcard permissions to logs:CreateLogGroup
Useful Contacts
@jacobwoffenden
User Types
Observability Platform Product Engineering
Hypothesis
If we create a KMS CMK encrypted CloudWatch Log group, and provide scoped access to the Lambda's role
Then we can resolve static analysis alerts
Proposal
Create KMS CMK
Create CloudWatch log group
Set logging_log_group to output of 2
Update Lambda IAM policy to access KMS and publish to CloudWatch Logs
User Story
As an Observability Platform product engineer I want my AWS Lambda functions to follow prescribed best practice from static analysis providers So that we have a healthy and secure codebase
Value / Purpose
Grafana API key rotator's IAM role (via Terraform module) has wildcard permissions to
logs:CreateLogGroup
Useful Contacts
@jacobwoffenden
User Types
Observability Platform Product Engineering
Hypothesis
If we create a KMS CMK encrypted CloudWatch Log group, and provide scoped access to the Lambda's role Then we can resolve static analysis alerts
Proposal
logging_log_group
to output of 2attach_cloudwatch_logs_policy
tofalse
attach_create_log_group_permission
tofalse
Additional Information
https://registry.terraform.io/modules/terraform-aws-modules/lambda/aws/latest?tab=inputs
Definition of Done