Chore: APIGW Access Logs Policy

[williamputraintan]

We started or could hit the policy size limit again for CloudWatch Logs resources which are limited to 5120 characters. Reported at slack-thread

This happened on the dev env where removed policies didn't get cleaned up properly by CDK (Alexis cleaned this manually in dev account). To future proof from happening again, it seems that API-GW logs should start the prefix with /aws/vendedlogs/ and AWS natively add wildcard to that prefix.

Also, investigate whether the add the write permission on to APIGW could also go as the native policy should cover this?

Another thing to note it seems that the automatic enablement to /aws/vendedlogs/ prefix only appear after it hits the limit.

Ref:

To mitigate this, CloudWatch Logs monitors the size of resource policies used by the service that is sending logs, and when it detects that a policy approaches the size limit of 5120 characters, CloudWatch Logs automatically enables /aws/vendedlogs/* in the resource policy for that service. You can then start using log groups with names that start with /aws/vendedlogs/ as the destinations for logs from these services.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html