AWS lambda medium security documentation change
Summary
Updated security group rules to specify correct cluster port and simplify outbound traffic rules
Security assessment
Corrected inbound rules to reference the default cluster port instead of a broker port, preventing potential misconfigurations that could expose unintended ports. This addresses a security risk by ensuring proper network access controls.
Diff
diff --git a/lambda/latest/dg/with-documentdb.md b/lambda/latest/dg/with-documentdb.md index 1260008d3..6fbf9e596 100644 --- a/lambda/latest/dg/with-documentdb.md +++ b/lambda/latest/dg/with-documentdb.md @@ -172 +172 @@ Configure the security groups for the Amazon VPC containing your cluster. By def - * Inbound rules – Allow all traffic on the default broker port for the security group associated with your event source. Alternatively, you can use a self-referencing security group rule to allow access from instances within the same security group. + * Inbound rules – Allow all traffic on the default cluster port for the security group associated with your event source. @@ -174 +174 @@ Configure the security groups for the Amazon VPC containing your cluster. By def - * Outbound rules – Allow all traffic on port `443` for external destinations if your function needs to communicate with AWS services. Alternatively, you can also use a self-referencing security group rule to limit access to the broker if you don't need to communicate with other AWS services. + * Outbound rules – Allow all traffic on port `443` for all destinations. Allow all traffic on the default cluster port for the security group associated with your event source.