AccessDeniedException [RSLVR-01605] Missing permission to log:* #4346
Labels
bug
This issue is a bug.
p3
This is a minor priority issue
service-api
This issue is due to a problem in a service API, not the SDK implementation.
Describe the bug
When trying to run route53resolver:CreateResolverQueryLogConfig, I get the error message:
AccessDeniedException [RSLVR-01605] Missing permission to log:*
Expected Behavior
I don't think it should ask for permissions to "logs:*".
Isn't it too permissive?
It can lead to problems when trying to follow the least-privilege principle.
I will have a hard time trying to convince my security team to approve this.
Current Behavior
The following exception is thrown:
Reproduction Steps
Lambda code (nodejs 16.x):
My role policies:
Default lambda policy:
Custom added policy:
Possible Solution
The only way to make this work is adding permission to "logs:*" in your role policies:
But I don't think this is ok.
Isn't this too permissive?
Additional Information/Context
No response
SDK version used
2.1310.0 (javascript)
Environment details (OS name and version, etc.)
AWS Lambda running Node.js 16.x
The text was updated successfully, but these errors were encountered: