AWS apigateway medium security documentation change
Summary
Added guidance about returning 401 errors directly from Lambda authorizer
Security assessment
Explicitly documents security-related error handling for authorization failures, helping prevent misconfigurations that could expose endpoints. The instruction to avoid specifying identity sources when returning 401 errors directly addresses potential authorization logic conflicts
Diff
diff --git a/apigateway/latest/developerguide/http-api-lambda-authorizer.md b/apigateway/latest/developerguide/http-api-lambda-authorizer.md index cb7fe9ce0..0be9f81ff 100644 --- a//apigateway/latest/developerguide/http-api-lambda-authorizer.md +++ b//apigateway/latest/developerguide/http-api-lambda-authorizer.md @@ -394,0 +395,2 @@ Stage variable | $stageVariables.`variableName` | The value of a [stage variable +You can also directly return ` {"errorMessage" : "Unauthorized"}` from your Lambda function to return a `401` error to your clients. If you directly return a `401` error from your Lambda function to your clients, don't specify any identity sources when you create your Lambda authorizer. +