The module currently assigns CloudWatch Log IAM permissions to the default internal task role (see

). This seems unnecessay since usually the app itself doesn't need those permission. Assigning those to the task execution role is correct.