What is the problem?

When creating a canary using @aws-cdk/aws-synthetics-alpha version 2.10.0-alpha.0 and using the default role creation, the permissions allow the canary to run but it doesn't create logs in CloudWatch. I've traced this to the policy that is created around logging, which is generated as follows:

       {
            "Action": [
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:::*",
            "Effect": "Allow"
        }

The Resource element is missing a region. It can be rectified by adding a more specific policy statement to the cdk code e.g.

    canary.role.addToPrincipalPolicy(
      new PolicyStatement({
        resources: [`arn:aws:logs:eu-west-1:${account ?? ''}:*`],
        actions: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'],
      })
    );

Reproduction Steps

   const canary = new Canary(this, id, {
      canaryName: 'Canary',
      schedule: Schedule.rate(Duration.minutes(1)),
      test: Test.custom({
        code: synthetics.Code.fromAsset(path.join(__dirname, 'canary')),
        handler: 'index.handler',
      }),
      runtime: Runtime.SYNTHETICS_NODEJS_PUPPETEER_3_3,
    });

What did you expect to happen?

Canary can create and write to CloudWatch logs with default role permissions

What actually happened?

Canary cannot create or write to CloudWatch logs with default role permissions

CDK CLI Version

2.10.0 (build e5b301f)

Framework Version

No response

Node.js Version

v14.15.5

OS

Mac OS / CodeBuild (same results locally and on CI)

Language

Typescript

Language Version

Typescript (4.2.4)

Other information

No response