Need help figuring out AWS role for functionbeat

Elastic Stack Beats
1

https://www.elastic.co/guide/en/beats/functionbeat/7.x/configuration-functionbeat-options.html#functionbeat-role says that I can add a parameter named role to my functionbeat config.

Where to add it? I'm guessing it's meant as an attribute of an item in the functionbeat.provider.aws.functions list. Is that correct? If not, where to put it?

The value of the role attribute is said to be an aws role's arn. https://www.elastic.co/guide/en/beats/functionbeat/7.x/iam-permissions.html describes the actions that need to be in the role policy, but does not say anything about which resources these actions will be allowed on. It just cites '*' for the resource. My employer's policy doesn't allow me to say that. So, I have to be more specific. What resources should I cite as part of the policy?

Thanks!

2

Please look at the docs: Configure AWS functions | Functionbeat Reference [7.16] | Elastic

functionbeat.provider.aws.functions:
  - name: cloudwatch
    enabled: true
    type: cloudwatch_logs
    description: "lambda function for cloudwatch logs"
    triggers:
      - log_group_name: /aws/lambda/my-lambda-function
    role: arn:aws:iam::123456789012:role/MyFunction
3

Obviously, I have looked at that url - it's the same one I put in my original post. And, if you have a look, you will see that it neither explicitly says where to put it, nor shows an example. Your example matches what I posted as a guess. It would be clearer for all if the doc simply said so, or if you had said , "yes, that is the implied location".

What about my 2nd question? Which resources to cite in the policy?