@gradientedge/cdk-utils 5.8.0 → 5.9.0

package/dist/src/lib/manager/aws/iam-manager.d.ts

@@ -30,12 +30,14 @@ export declare class IamManager {
     /**
      * @summary Method to create iam statement to read secrets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadSecrets(scope: common.CommonConstruct): cdk.aws_iam.PolicyStatement;
+    statementForReadSecrets(scope: common.CommonConstruct, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to put events
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutEvents(): cdk.aws_iam.PolicyStatement;
+    statementForPutEvents(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to invoke lambda function
      * @param {string[]} resourceArns list of ARNs to allow access to
@@ -43,8 +45,9 @@ export declare class IamManager {
     statementForInvokeLambda(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to read app config
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadAnyAppConfig(): cdk.aws_iam.PolicyStatement;
+    statementForReadAnyAppConfig(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to list s3 buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
@@ -53,38 +56,45 @@ export declare class IamManager {
     statementForListBucket(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to list all s3 buckets
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForListAllMyBuckets(): cdk.aws_iam.PolicyStatement;
+    statementForListAllMyBuckets(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to get s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
+    statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to delete s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
+    statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to write s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
+    statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to pass iam role
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPassRole(): cdk.aws_iam.PolicyStatement;
+    statementForPassRole(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to invalidate cloudfront cache
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForCloudfrontInvalidation(): cdk.aws_iam.PolicyStatement;
+    statementForCloudfrontInvalidation(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam policy to invalidate cloudfront cache
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    policyForCloudfrontInvalidation(): cdk.aws_iam.PolicyDocument;
+    policyForCloudfrontInvalidation(resourceArns?: string[]): cdk.aws_iam.PolicyDocument;
     /**
      * @summary Method to create iam role to invalidate cloudfront cache
      * @param {string} id scoped id of the resource
@@ -99,8 +109,9 @@ export declare class IamManager {
     statementForAssumeRole(scope: common.CommonConstruct, servicePrincipals: iam.ServicePrincipal[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to pass ecs role
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForEcsPassRole(): cdk.aws_iam.PolicyStatement;
+    statementForEcsPassRole(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to run ecs task
      * @param {common.CommonConstruct} scope scope in which this resource is defined
@@ -116,8 +127,9 @@ export declare class IamManager {
     statementForCreateLogStream(scope: common.CommonConstruct, logGroup: logs.CfnLogGroup): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to create any log stream
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForCreateAnyLogStream(): cdk.aws_iam.PolicyStatement;
+    statementForCreateAnyLogStream(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to write log events
      * @param {common.CommonConstruct} scope scope in which this resource is defined
@@ -126,12 +138,14 @@ export declare class IamManager {
     statementForPutLogEvent(scope: common.CommonConstruct, logGroup: logs.CfnLogGroup): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to write any log events
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutAnyLogEvent(): cdk.aws_iam.PolicyStatement;
+    statementForPutAnyLogEvent(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to read items from dynamodb table
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadTableItems(): cdk.aws_iam.PolicyStatement;
+    statementForReadTableItems(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement for cloud trail
      * @param {string} id scoped id of the resource
@@ -174,7 +188,9 @@ export declare class IamManager {
      * @summary Method to create iam policy for sqs
      * @param {string} id scoped id of the resource
      * @param {common.CommonConstruct} scope scope in which this resource is defined
-     * @param {iam.ServicePrincipal} servicePrinicpal
+     * @param sqsQueue
+     * @param eventBridgeRule
+     * @param servicePrincipals
      */
     createPolicyForSqsEvent(id: string, scope: common.CommonConstruct, sqsQueue: sqs.Queue, eventBridgeRule: events.IRule, servicePrincipals?: iam.ServicePrincipal[]): cdk.aws_iam.PolicyDocument;
 }

package/dist/src/lib/manager/aws/iam-manager.js

@@ -51,22 +51,26 @@ class IamManager {
     /**
      * @summary Method to create iam statement to read secrets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadSecrets(scope) {
+    statementForReadSecrets(scope, resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['secretsmanager:GetSecretValue'],
-            resources: [`arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`],
+            resources: resourceArns ?? [
+                `arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`,
+            ],
         });
     }
     /**
      * @summary Method to create iam statement to put events
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutEvents() {
+    statementForPutEvents(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['events:PutEvents'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
@@ -82,8 +86,9 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to read app config
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadAnyAppConfig() {
+    statementForReadAnyAppConfig(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: [
@@ -100,7 +105,7 @@ class IamManager {
                 'appconfig:GetConfiguration',
                 'appconfig:ListDeployments',
             ],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
@@ -117,74 +122,81 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to list all s3 buckets
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForListAllMyBuckets() {
+    statementForListAllMyBuckets(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['s3:ListAllMyBuckets'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
      * @summary Method to create iam statement to get s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForGetAnyS3Objects(scope, bucket) {
+    statementForGetAnyS3Objects(scope, bucket, resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['s3:GetObject', 's3:GetObjectAcl'],
-            resources: [bucket.arnForObjects(`*`)],
+            resources: resourceArns ?? [bucket.arnForObjects(`*`)],
         });
     }
     /**
      * @summary Method to create iam statement to delete s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForDeleteAnyS3Objects(scope, bucket) {
+    statementForDeleteAnyS3Objects(scope, bucket, resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['s3:DeleteObject'],
-            resources: [bucket.arnForObjects(`*`)],
+            resources: resourceArns ?? [bucket.arnForObjects(`*`)],
         });
     }
     /**
      * @summary Method to create iam statement to write s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutAnyS3Objects(scope, bucket) {
+    statementForPutAnyS3Objects(scope, bucket, resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['s3:PutObject', 's3:PutObjectAcl'],
-            resources: [bucket.arnForObjects(`*`)],
+            resources: resourceArns ?? [bucket.arnForObjects(`*`)],
         });
     }
     /**
      * @summary Method to create iam statement to pass iam role
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPassRole() {
+    statementForPassRole(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['iam:PassRole'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
      * @summary Method to create iam statement to invalidate cloudfront cache
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForCloudfrontInvalidation() {
+    statementForCloudfrontInvalidation(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['cloudfront:GetInvalidation', 'cloudfront:CreateInvalidation'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
      * @summary Method to create iam policy to invalidate cloudfront cache
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    policyForCloudfrontInvalidation() {
+    policyForCloudfrontInvalidation(resourceArns) {
         return new iam.PolicyDocument({
             statements: [
                 this.statementForCreateAnyLogStream(),
@@ -198,7 +210,7 @@ class IamManager {
                         'ecr:BatchCheckLayerAvailability',
                         'ecr:GetAuthorizationToken',
                     ],
-                    resources: ['*'],
+                    resources: resourceArns ?? ['*'],
                 }),
             ],
         });
@@ -230,12 +242,13 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to pass ecs role
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForEcsPassRole() {
+    statementForEcsPassRole(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['iam:PassRole'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
             conditions: { StringLike: { 'iam:PassedToService': 'ecs-tasks.amazonaws.com' } },
         });
     }
@@ -270,12 +283,13 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to create any log stream
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForCreateAnyLogStream() {
+    statementForCreateAnyLogStream(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['logs:CreateLogStream'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
@@ -295,18 +309,20 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to write any log events
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutAnyLogEvent() {
+    statementForPutAnyLogEvent(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['logs:PutLogEvents'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
      * @summary Method to create iam statement to read items from dynamodb table
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadTableItems() {
+    statementForReadTableItems(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: [
@@ -318,7 +334,7 @@ class IamManager {
                 'dynamodb:Query',
                 'dynamodb:GetRecords',
             ],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
@@ -434,10 +450,12 @@ class IamManager {
      * @summary Method to create iam policy for sqs
      * @param {string} id scoped id of the resource
      * @param {common.CommonConstruct} scope scope in which this resource is defined
-     * @param {iam.ServicePrincipal} servicePrinicpal
+     * @param sqsQueue
+     * @param eventBridgeRule
+     * @param servicePrincipals
      */
     createPolicyForSqsEvent(id, scope, sqsQueue, eventBridgeRule, servicePrincipals) {
-        const policy = new iam.PolicyDocument({
+        return new iam.PolicyDocument({
             statements: [
                 new iam.PolicyStatement({
                     actions: ['sqs:*'],
@@ -452,7 +470,6 @@ class IamManager {
                 }),
             ],
         });
-        return policy;
     }
 }
 exports.IamManager = IamManager;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gradientedge/cdk-utils",
-  "version": "5.8.0",
+  "version": "5.9.0",
   "description": "Utilities for AWS CDK provisioning",
   "main": "dist/index.js",
   "engines": {

package/src/lib/manager/aws/iam-manager.ts

@@ -32,23 +32,27 @@ export class IamManager {
   /**
    * @summary Method to create iam statement to read secrets
    * @param {common.CommonConstruct} scope scope in which this resource is defined
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForReadSecrets(scope: common.CommonConstruct) {
+  public statementForReadSecrets(scope: common.CommonConstruct, resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['secretsmanager:GetSecretValue'],
-      resources: [`arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`],
+      resources: resourceArns ?? [
+        `arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`,
+      ],
     })
   }
 
   /**
    * @summary Method to create iam statement to put events
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForPutEvents() {
+  public statementForPutEvents(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['events:PutEvents'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -66,8 +70,9 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to read app config
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForReadAnyAppConfig() {
+  public statementForReadAnyAppConfig(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: [
@@ -84,7 +89,7 @@ export class IamManager {
         'appconfig:GetConfiguration',
         'appconfig:ListDeployments',
       ],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -103,12 +108,13 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to list all s3 buckets
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForListAllMyBuckets() {
+  public statementForListAllMyBuckets(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['s3:ListAllMyBuckets'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -116,12 +122,13 @@ export class IamManager {
    * @summary Method to create iam statement to get s3 objects in buckets
    * @param {common.CommonConstruct} scope scope in which this resource is defined
    * @param {s3.IBucket} bucket
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket) {
+  public statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['s3:GetObject', 's3:GetObjectAcl'],
-      resources: [bucket.arnForObjects(`*`)],
+      resources: resourceArns ?? [bucket.arnForObjects(`*`)],
     })
   }
 
@@ -129,12 +136,13 @@ export class IamManager {
    * @summary Method to create iam statement to delete s3 objects in buckets
    * @param {common.CommonConstruct} scope scope in which this resource is defined
    * @param {s3.IBucket} bucket
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket) {
+  public statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['s3:DeleteObject'],
-      resources: [bucket.arnForObjects(`*`)],
+      resources: resourceArns ?? [bucket.arnForObjects(`*`)],
     })
   }
 
@@ -142,41 +150,45 @@ export class IamManager {
    * @summary Method to create iam statement to write s3 objects in buckets
    * @param {common.CommonConstruct} scope scope in which this resource is defined
    * @param {s3.IBucket} bucket
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket) {
+  public statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['s3:PutObject', 's3:PutObjectAcl'],
-      resources: [bucket.arnForObjects(`*`)],
+      resources: resourceArns ?? [bucket.arnForObjects(`*`)],
     })
   }
 
   /**
    * @summary Method to create iam statement to pass iam role
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForPassRole() {
+  public statementForPassRole(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['iam:PassRole'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
   /**
    * @summary Method to create iam statement to invalidate cloudfront cache
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForCloudfrontInvalidation() {
+  public statementForCloudfrontInvalidation(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['cloudfront:GetInvalidation', 'cloudfront:CreateInvalidation'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
   /**
    * @summary Method to create iam policy to invalidate cloudfront cache
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public policyForCloudfrontInvalidation() {
+  public policyForCloudfrontInvalidation(resourceArns?: string[]) {
     return new iam.PolicyDocument({
       statements: [
         this.statementForCreateAnyLogStream(),
@@ -190,7 +202,7 @@ export class IamManager {
             'ecr:BatchCheckLayerAvailability',
             'ecr:GetAuthorizationToken',
           ],
-          resources: ['*'],
+          resources: resourceArns ?? ['*'],
         }),
       ],
     })
@@ -225,12 +237,13 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to pass ecs role
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForEcsPassRole() {
+  public statementForEcsPassRole(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['iam:PassRole'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
       conditions: { StringLike: { 'iam:PassedToService': 'ecs-tasks.amazonaws.com' } },
     })
   }
@@ -270,12 +283,13 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to create any log stream
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForCreateAnyLogStream() {
+  public statementForCreateAnyLogStream(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['logs:CreateLogStream'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -299,19 +313,21 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to write any log events
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForPutAnyLogEvent() {
+  public statementForPutAnyLogEvent(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['logs:PutLogEvents'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
   /**
    * @summary Method to create iam statement to read items from dynamodb table
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForReadTableItems() {
+  public statementForReadTableItems(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: [
@@ -323,7 +339,7 @@ export class IamManager {
         'dynamodb:Query',
         'dynamodb:GetRecords',
       ],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -483,7 +499,9 @@ export class IamManager {
    * @summary Method to create iam policy for sqs
    * @param {string} id scoped id of the resource
    * @param {common.CommonConstruct} scope scope in which this resource is defined
-   * @param {iam.ServicePrincipal} servicePrinicpal
+   * @param sqsQueue
+   * @param eventBridgeRule
+   * @param servicePrincipals
    */
   public createPolicyForSqsEvent(
     id: string,
@@ -492,7 +510,7 @@ export class IamManager {
     eventBridgeRule: events.IRule,
     servicePrincipals?: iam.ServicePrincipal[]
   ) {
-    const policy = new iam.PolicyDocument({
+    return new iam.PolicyDocument({
       statements: [
         new iam.PolicyStatement({
           actions: ['sqs:*'],
@@ -507,7 +525,5 @@ export class IamManager {
         }),
       ],
     })
-
-    return policy
   }
 }