[Permissions] Fix permissions to read/delete logs from SSM. (#409)

gmarciani · web-flow · commit 17e535101747 · 2025-04-11T12:25:04.000-04:00
diff --git a/infrastructure/parallelcluster-ui.yaml b/infrastructure/parallelcluster-ui.yaml
@@ -1074,14 +1074,14 @@ Resources:
           - Action:
               - logs:GetLogEvents
             Resource:
-              - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${SsmLogGroup}:*"
-              - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${SsmLogGroup}:log-stream:*"
+              - !Sub "arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:${SsmLogGroup}:*"
+              - !Sub "arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:${SsmLogGroup}:log-stream:*"
             Effect: Allow
             Sid: CloudWatchLogsRead
           - Action:
               - logs:DeleteLogStream
             Resource:
-              - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${SsmLogGroup}:log-stream:*/*/aws-runShellScript/stdout"
+              - !Sub "arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:${SsmLogGroup}:log-stream:*/*/aws-runShellScript/stdout"
             Effect: Allow
             Sid: CloudWatchLogsDelete
 
