diff --git a/dotcom-rendering/cloudformation.yml b/dotcom-rendering/cloudformation.yml
index 62f6afab9ca..1bc9293c894 100644
--- a/dotcom-rendering/cloudformation.yml
+++ b/dotcom-rendering/cloudformation.yml
@@ -242,6 +242,7 @@ Resources:
 
               groupadd frontend
               useradd -r -m -s /usr/bin/nologin -g frontend dotcom-rendering
+              usermod -a -G frontend aws-kinesis-agent-user
               cd /home/dotcom-rendering
 
               aws --region eu-west-1 s3 cp s3://aws-frontend-artifacts/frontend/${Stage}/${App}/dist/${App}.zip ./
diff --git a/dotcom-rendering/src/server/lib/logging.ts b/dotcom-rendering/src/server/lib/logging.ts
index fc81d814439..1a51a846bfa 100644
--- a/dotcom-rendering/src/server/lib/logging.ts
+++ b/dotcom-rendering/src/server/lib/logging.ts
@@ -68,6 +68,8 @@ const enableLog4j = {
 			backups: 5,
 			compress: true,
 			layout: { type: 'json', separator: ',' },
+			// Owner Read & Write, Group Read
+			mode: 0o640,
 		},
 	},
 	categories: {