{
  "ServerlessEsLogsLambdaIAMRole": {
    "Type": "AWS::IAM::Role",
    "Properties": {
      "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "lambda.amazonaws.com"
              ]
            },
            "Action": [
              "sts:AssumeRole"
            ]
          }
        ]
      },
      "Policies": [
        {
          "PolicyName": "cw-to-elasticsearch-policy",
          "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                  "logs:CreateLogGroup",
                  "logs:CreateLogStream",
                  "logs:PutLogEvents"
                ],
                "Resource": "arn:aws:logs:*:*:*"
              },
              {
                "Effect": "Allow",
                "Action": "es:ESHttpPost",
                "Resource": {
                  "Fn::Sub": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/*"
                }
              },
              {
                "Effect": "Allow",
                "Action": [
                  "ec2:CreateNetworkInterface",
                  "ec2:DescribeNetworkInterfaces",
                  "ec2:DeleteNetworkInterface"
                ],
                "Resource": "*"
              }
            ]
          }
        }
      ]
    }
  }
}