AWS beanstalk Amazon Linux 2 log file permissions

I'm migrated from AL1 to AL2 on AWS Beanstalk. AL2 changed location of my nodejs.log to /var/log/{{.}}.stdout.log I resolved this by adding ryslog.config to .ebexetensions:

files:
  "/opt/elasticbeanstalk/config/private/rsyslog.conf.template":
    mode: "000644"
    owner: root
    group: root
    content: |
      # This rsyslog file redirects Elastic Beanstalk platform logs.
      # Logs are initially sent to syslog, but we also want to divide
      # stdout and stderr into separate log files.

      template(name="SimpleFormat" type="string" string="%msg%\n")
      $EscapeControlCharactersOnReceive off

      {{range .ProcessNames}}if $programname  == '{{.}}' then {
        *.=warning;*.=err;*.=crit;*.=alert;*.=emerg /var/log/nodejs/nodejs.log; SimpleFormat
        *.=info;*.=notice /var/log/nodejs/nodejs.log; SimpleFormat
      }
      {{end}}

Above configuration is working but I have problem with log file permissions. Directory /var/log/nodejs and nodejs.log file are only readable by root (chmod 600), and cloudwatch-agent can't read it. Changing permissions manually do the job, but how can I change the permissions to be created automatically on beanstalk deploy?

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum