No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hey all! I was playing around with some examples from the docs, in particular the `onObjectCreated` magic function, but Im curious about the permission structure here.
```import * as aws from "@pulumi/aws";

const docsBucket = new aws.s3.Bucket("docs");

docsBucket.onObjectCreated("docsHandler", (event: aws.s3.BucketEvent) =&gt; {
  console.log("WOW A FILE WAS CREATED!");
});```
This will result in role policy attachments that give Full Access to cloudwatch, lambda, dynamo, and more. Is that intended or am I missing something?