Add CloudWatch Logs permissions to Lambda execution role

whummer · claude · whummer · commit dc126cb0a295 · 2026-04-24T09:25:28.000+03:00
Required for logs:PutLogEvents when IAM enforcement is enabled.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/01-serverless-app/terraform/main.tf b/01-serverless-app/terraform/main.tf
@@ -226,6 +226,11 @@ resource "aws_iam_role_policy" "lambda_policy" {
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
+      {
+        Effect   = "Allow"
+        Action   = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
+        Resource = "arn:aws:logs:*:*:*"
+      },
       {
         # dynamodb:PutItem intentionally omitted for orders — see 03-iam-enforcement for the IAM demo
         Effect   = "Allow"
