diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 395404e8..490f7605 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.88.4
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
diff --git a/iam.tf b/iam.tf
index 8a9378d5..280138ea 100644
--- a/iam.tf
+++ b/iam.tf
@@ -6,20 +6,18 @@ data "aws_iam_policy_document" "sns_feedback" {
   count = local.create_sns_feedback_role ? 1 : 0
 
   statement {
-    sid    = "PermitDeliveryStatusMessagesToCloudWatchLogs"
+    sid    = "SnsAssume"
     effect = "Allow"
 
     actions = [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-      "logs:PutMetricFilter",
-      "logs:PutRetentionPolicy"
+      "sts:AssumeRole",
+      "sts:TagSession",
     ]
 
-    resources = [
-      "*"
-    ]
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
   }
 }
 
@@ -33,5 +31,8 @@ resource "aws_iam_role" "sns_feedback_role" {
   permissions_boundary  = var.sns_topic_feedback_role_permissions_boundary
   assume_role_policy    = data.aws_iam_policy_document.sns_feedback[0].json
 
-  tags = merge(var.tags, var.sns_topic_feedback_role_tags)
+  tags = merge(
+    var.tags,
+    var.sns_topic_feedback_role_tags,
+  )
 }