BetterStackHQ
diff --git a/‎cloudformation/.DS_Store‎
6 KB b/‎cloudformation/.DS_Store‎
6 KB
diff --git a/‎cloudformation/full/better-stack-full.yaml‎
Lines changed: 27 additions & 18 deletions b/‎cloudformation/full/better-stack-full.yaml‎
Lines changed: 27 additions & 18 deletions
@@ -256,42 +256,28 @@ Resources:
           PolicyDocument:
             Version: '2012-10-17'
             Statement:
-              - Sid: CloudWatchAccess
+              - Sid: CloudWatchRead
                 Effect: Allow
                 Action:
                   - cloudwatch:Describe*
                   - cloudwatch:Get*
                   - cloudwatch:List*
-                  - cloudwatch:PutMetricStream
-                  - cloudwatch:DeleteMetricStream
-                  - cloudwatch:StartMetricStreams
-                  - cloudwatch:StopMetricStreams
                 Resource: '*'
-              - Sid: LogsAccess
+              - Sid: LogsRead
                 Effect: Allow
                 Action:
                   - logs:Describe*
                   - logs:Get*
                   - logs:List*
                   - logs:FilterLogEvents
                   - logs:TestMetricFilter
-                  - logs:PutSubscriptionFilter
-                  - logs:DeleteSubscriptionFilter
                 Resource: '*'
-              - Sid: PassLogsSubscriptionRole
-                Effect: Allow
-                Action:
-                  - iam:PassRole
-                Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/better-stack-logs-subscription-role'
-                Condition:
-                  StringEquals:
-                    iam:PassedToService: logs.amazonaws.com
-              - Sid: EC2Access
+              - Sid: EC2Read
                 Effect: Allow
                 Action:
                   - ec2:Describe*
                 Resource: '*'
-              - Sid: TaggingAccess
+              - Sid: TaggingRead
                 Effect: Allow
                 Action:
                   - tag:GetResources
@@ -365,6 +351,29 @@ Resources:
                   - cloudtrail:ListTrails
                   - health:Describe*
                 Resource: '*'
+        - PolicyName: BetterStackWriteAccess
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Sid: MetricStreamManagement
+                Effect: Allow
+                Action:
+                  - cloudwatch:PutMetricStream
+                  - cloudwatch:DeleteMetricStream
+                  - cloudwatch:StartMetricStreams
+                  - cloudwatch:StopMetricStreams
+                Resource: '*'
+              - Sid: LogsSubscriptionManagement
+                Effect: Allow
+                Action:
+                  - logs:PutSubscriptionFilter
+                  - logs:DeleteSubscriptionFilter
+                Resource: '*'
+              - Sid: PassLogsSubscriptionRole
+                Effect: Allow
+                Action:
+                  - iam:PassRole
+                Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/better-stack-logs-subscription-role'
       Tags:
         - Key: Solution
           Value: BetterStack