AWS lambda medium security documentation change
Summary
Modified IAM policy permissions to restrict logs actions and removed Live Tail session permissions
Security assessment
The changes remove permissions for `logs:StartLiveTail` and `logs:StopLiveTail` actions and restrict log access to Lambda-associated log groups. This reduces excessive permissions, which is a security best practice to enforce least privilege.
Diff
diff --git a/lambda/latest/dg/security-iam-awsmanpol.md b/lambda/latest/dg/security-iam-awsmanpol.md index 521f12f0c..5783ad741 100644 --- a/lambda/latest/dg/security-iam-awsmanpol.md +++ b/lambda/latest/dg/security-iam-awsmanpol.md @@ -70 +70 @@ This policy includes the following permissions: - * `logs` – Allows principals to describe log streams, get log events, filter log events, and to start and stop Live Tail sessions. + * `logs` – Allows principals to describe Amazon CloudWatch log groups. For log groups that are associated with a Lambda function, this policy allows the principal to describe log streams, get log events, and filter log events. @@ -105 +105 @@ This policy includes the following permissions: - * `logs` – Allows principals to describe log streams, get log events, filter log events, and to start and stop Live Tail sessions. + * `logs` – Allows principals to describe Amazon CloudWatch log groups. For log groups that are associated with a Lambda function, this policy allows the principal to describe log streams, get log events, and filter log events. @@ -202 +201,0 @@ Change | Description | Date -[AWSLambda_ReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambda_ReadOnlyAccess.html) and [AWSLambda_FullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambda_FullAccess.html) – Change | Lambda updated the `AWSLambda_ReadOnlyAccess` and `AWSLambda_FullAccess` policies to allow the `logs:StartLiveTail` and `logs:StopLiveTail` actions. | March 17, 2025