AWS Security ChangesHomeSearch

AWS lambda medium security documentation change

Service: lambda · 2025-03-19 · Security-related medium

File: lambda/latest/dg/with-documentdb.md

Summary

Updated security group rules to specify correct cluster port and simplify outbound traffic rules

Security assessment

Corrected inbound rules to reference the default cluster port instead of a broker port, preventing potential misconfigurations that could expose unintended ports. This addresses a security risk by ensuring proper network access controls.

Diff

diff --git a/lambda/latest/dg/with-documentdb.md b/lambda/latest/dg/with-documentdb.md
index 1260008d3..6fbf9e596 100644
--- a/lambda/latest/dg/with-documentdb.md
+++ b/lambda/latest/dg/with-documentdb.md
@@ -172 +172 @@ Configure the security groups for the Amazon VPC containing your cluster. By def
-  * Inbound rules – Allow all traffic on the default broker port for the security group associated with your event source. Alternatively, you can use a self-referencing security group rule to allow access from instances within the same security group.
+  * Inbound rules – Allow all traffic on the default cluster port for the security group associated with your event source.
@@ -174 +174 @@ Configure the security groups for the Amazon VPC containing your cluster. By def
-  * Outbound rules – Allow all traffic on port `443` for external destinations if your function needs to communicate with AWS services. Alternatively, you can also use a self-referencing security group rule to limit access to the broker if you don't need to communicate with other AWS services.
+  * Outbound rules – Allow all traffic on port `443` for all destinations. Allow all traffic on the default cluster port for the security group associated with your event source.