diff --git a/infra/deployment.ts b/infra/deployment.ts
index 5e1b788..149b75d 100644
--- a/infra/deployment.ts
+++ b/infra/deployment.ts
@@ -21,7 +21,7 @@ new aws.iam.RolePolicyAttachment(`${prefix}-policy-codebuild`, {
   role: role.name,
   policyArn: aws.iam.ManagedPolicies.AWSCodeBuildDeveloperAccess,
 });
-new aws.iam.RolePolicy(`${prefix}-role-policy`, {
+new aws.iam.RolePolicy(`${prefix}-role-policy-bucket`, {
   role: role.name,
   policy: pulumi.all([backend.bucket.arn, frontend.bucket.arn]).apply(([be, fe]) => JSON.stringify({
     Version: "2012-10-17",
@@ -42,6 +42,29 @@ new aws.iam.RolePolicy(`${prefix}-role-policy`, {
         ],
         Resource: [ be, fe, ],
       },
+    ]
+  })),
+});
+new aws.iam.RolePolicy(`${prefix}-role-policy-lambda`, {
+  role: role.name,
+  policy: pulumi.all([backend.lambda.arn]).apply(([lambda]) => JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Action: [
+          "lambda:UpdateFunctionCode",
+        ],
+        Resource: lambda,
+      },
+    ]
+  })),
+});
+new aws.iam.RolePolicy(`${prefix}-role-policy-logs`, {
+  role: role.name,
+  policy: JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [
       {
         Effect: "Allow",
         Action: [
@@ -52,7 +75,7 @@ new aws.iam.RolePolicy(`${prefix}-role-policy`, {
         Resource: "*",
       },
     ]
-  })),
+  }),
 });