It seems like under the aws_lambda_function documentation for CloudWatch Logging and Permissions that the policy could be more restricting.
Couldn’t you utilize the aws_cloudwatch_log_group ARN output to only allow it to log to that specific ARN?
Also, slightly confused about the purpose of the logs:CreateLogGroup action. We already created the log group in the example, so why do we need to give permissions to create log group?