scope down permissions for sqs and kinesis stream targets

packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts

@@ -47,7 +47,8 @@ export class KinesisStreamPutRecord extends ScheduleTargetBase implements ISched
       throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.stream.node)} in account ${this.stream.env.account}. Both the target and the execution role must be in the same account.`);
     }
 
-    this.stream.grantWrite(role);
+    this.stream.grant(role, 'kinesis:PutRecord', 'kinesis:PutRecords');
+    this.stream.encryptionKey?.grant(role, 'kms:GenerateDataKey*');
   }
 
   protected bindBaseTargetConfig(_schedule: ISchedule): ScheduleTargetConfig {
@@ -58,4 +59,4 @@ export class KinesisStreamPutRecord extends ScheduleTargetBase implements ISched
       },
     };
   }
-}
+}

packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts

@@ -62,7 +62,8 @@ export class SqsSendMessage extends ScheduleTargetBase implements IScheduleTarge
       throw new Error(`Cannot grant permission to execution role in account ${this.props.role.env.account} to invoke target ${Names.nodeUniqueId(this.queue.node)} in account ${this.queue.env.account}. Both the target and the execution role must be in the same account.`);
     }
 
-    this.queue.grantSendMessages(role);
+    this.queue.grant(role, 'sqs:SendMessage');
+    this.queue.encryptionMasterKey?.grant(role, 'kms:Decrypt', 'kms:GenerateDataKey*');
   }
 
   protected bindBaseTargetConfig(_schedule: ISchedule): ScheduleTargetConfig {
@@ -73,4 +74,4 @@ export class SqsSendMessage extends ScheduleTargetBase implements IScheduleTarge
       },
     };
   }
-}
+}

packages/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts

@@ -16,10 +16,6 @@ export interface ScheduleTargetBaseProps {
    * permissions to interact with the templated target. If you wish you may specify your own IAM role, then the templated targets
    * will grant minimal required permissions.
    *
-   * Universal target automatically create an IAM role if you do not specify your own IAM role.
-   * However, in comparison with templated targets, for universal targets you must grant the required
-   * IAM permissions yourself.
-   *
    * @default - created by target
    */
   readonly role?: iam.IRole;

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts

@@ -44,5 +44,3 @@ integrationTest.assertions.awsApiCall('Inspector', 'listAssessmentRuns', {
   interval: cdk.Duration.seconds(30),
   totalTimeout: cdk.Duration.minutes(10),
 });
-
-app.synth();

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-data-firehose-put-record.ts

@@ -69,5 +69,3 @@ if (objects instanceof AwsApiCall && objects.waiterProvider) {
     Resource: ['*'],
   });
 }
-
-app.synth();

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.template.json

@@ -19,8 +19,8 @@
      ]
     }
    },
-   "UpdateReplacePolicy": "Retain",
-   "DeletionPolicy": "Retain"
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
   },
   "Schedule83A77FD1": {
    "Type": "AWS::Scheduler::Schedule",
@@ -106,7 +106,6 @@
      "Statement": [
       {
        "Action": [
-        "kinesis:ListShards",
         "kinesis:PutRecord",
         "kinesis:PutRecords"
        ],

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.ts

@@ -21,6 +21,7 @@ const partitionKey = 'key';
 const stream = new Stream(stack, 'MyStream', {
   streamName,
   shardCount: 1,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 
 new scheduler.Schedule(stack, 'Schedule', {
@@ -58,4 +59,3 @@ getRecords.assertAtPath(
   totalTimeout: cdk.Duration.minutes(10),
 });
 
-app.synth();

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sage-maker-start-pipeline-execution.ts

@@ -135,5 +135,3 @@ integrationTest.assertions.awsApiCall('Sagemaker', 'listPipelineExecutions', {
   interval: cdk.Duration.seconds(30),
   totalTimeout: cdk.Duration.minutes(10),
 });
-
-app.synth();

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.template.json

@@ -27,29 +27,23 @@
    "Properties": {
     "PolicyDocument": {
      "Statement": [
-      {
-       "Action": [
-        "sqs:GetQueueAttributes",
-        "sqs:GetQueueUrl",
-        "sqs:SendMessage"
-       ],
-       "Effect": "Allow",
-       "Resource": {
-        "Fn::GetAtt": [
-         "ScheduleTargetQueueFA42B954",
-         "Arn"
-        ]
-       }
-      },
       {
        "Action": "sqs:SendMessage",
        "Effect": "Allow",
-       "Resource": {
-        "Fn::GetAtt": [
-         "ScheduleDeadLetterQueue0D6B48D2",
-         "Arn"
-        ]
-       }
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "ScheduleDeadLetterQueue0D6B48D2",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "ScheduleTargetQueueFA42B954",
+          "Arn"
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.template.json

@@ -92,11 +92,7 @@
     "PolicyDocument": {
      "Statement": [
       {
-       "Action": [
-        "sqs:GetQueueAttributes",
-        "sqs:GetQueueUrl",
-        "sqs:SendMessage"
-       ],
+       "Action": "sqs:SendMessage",
        "Effect": "Allow",
        "Resource": {
         "Fn::GetAtt": [