AWS Security ChangesHomeSearch

AWS apigateway medium security documentation change

Service: apigateway · 2025-04-25 · Security-related medium

File: apigateway/latest/developerguide/http-api-lambda-authorizer.md

Summary

Added guidance about returning 401 errors directly from Lambda authorizer

Security assessment

Explicitly documents security-related error handling for authorization failures, helping prevent misconfigurations that could expose endpoints. The instruction to avoid specifying identity sources when returning 401 errors directly addresses potential authorization logic conflicts

Diff

diff --git a/apigateway/latest/developerguide/http-api-lambda-authorizer.md b/apigateway/latest/developerguide/http-api-lambda-authorizer.md
index cb7fe9ce0..0be9f81ff 100644
--- a//apigateway/latest/developerguide/http-api-lambda-authorizer.md
+++ b//apigateway/latest/developerguide/http-api-lambda-authorizer.md
@@ -394,0 +395,2 @@ Stage variable | $stageVariables.`variableName` | The value of a [stage variable
+You can also directly return ` {"errorMessage" : "Unauthorized"}` from your Lambda function to return a `401` error to your clients. If you directly return a `401` error from your Lambda function to your clients, don't specify any identity sources when you create your Lambda authorizer.
+