From 57f94c1b2a74b8f72245f02caad99e396e9d5910 Mon Sep 17 00:00:00 2001
From: Brian Connolly <1957900+bdconnolly@users.noreply.github.com>
Date: Wed, 14 Aug 2024 13:59:58 -0400
Subject: [PATCH] Reduce Cloudwatch log permissions (#35)

---
 union-ai-admin/aws/union-ai-admin-role.template.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/union-ai-admin/aws/union-ai-admin-role.template.yaml b/union-ai-admin/aws/union-ai-admin-role.template.yaml
index 89e5782..5dcbd1f 100644
--- a/union-ai-admin/aws/union-ai-admin-role.template.yaml
+++ b/union-ai-admin/aws/union-ai-admin-role.template.yaml
@@ -367,9 +367,7 @@ Resources:
             Resource: '*'
           - Effect: Allow
             Action:
-              - logs:GetLogRecord
               - logs:GetLogEvents
-              - logs:FilterLogEvents
             Resource:
               - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/eks/opta-*:log-stream:kube-*'
               - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/opta-*/dataplane:log-stream:*'