AWS AmazonCloudFront documentation change
Summary
Updated terminology and clarified CloudFront permission requirements for Lambda function URL access with OAC
Security assessment
Changes focus on clarifying that CloudFront (rather than OAC abstractly) requires permissions, improving documentation accuracy. While related to security configuration, there's no evidence this addresses a specific vulnerability - rather it enhances existing security documentation clarity.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md index c25b2e216..2266bd0e5 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md +++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md @@ -34 +34 @@ If you use `PUT` or `POST` methods with your Lambda function URL, your users mus - * Give the OAC permission to access the Lambda function URL + * Grant CloudFront permission to access the Lambda function URL @@ -45 +45 @@ Before you create and set up OAC, you must have a CloudFront distribution with a -### Give the OAC permission to access the Lambda function URL +### Grant CloudFront permission to access the Lambda function URL @@ -47 +47 @@ Before you create and set up OAC, you must have a CloudFront distribution with a -Before you create an OAC or set it up in a CloudFront distribution, make sure the OAC has permission to access the Lambda function URL. Do this after you create a CloudFront distribution, but before you add the OAC to the Lambda function URL in the distribution configuration. +Before you create an OAC or set it up in a CloudFront distribution, make sure that CloudFront has permission to access the Lambda function URL. Do this after you create a CloudFront distribution, but before you add the OAC to the Lambda function URL in the distribution configuration. @@ -53 +53 @@ To update the IAM policy for the Lambda function URL, you must use the AWS Comma -The following AWS CLI command grants the CloudFront service principal (`cloudfront.amazonaws.com`) access to your Lambda function URL. The `Condition` element in the policy allows CloudFront to access Lambda _only_ when the request is on behalf of the CloudFront distribution that contains the Lambda function URL. +The following AWS CLI command grants the CloudFront service principal (`cloudfront.amazonaws.com`) access to your Lambda function URL. The `Condition` element in the policy allows CloudFront to access Lambda _only_ when the request is on behalf of the CloudFront distribution that contains the Lambda function URL. This is the distribution with the Lambda function URL origin that you want to add OAC to. @@ -55 +55 @@ The following AWS CLI command grants the CloudFront service principal (`cloudfro -###### Example : AWS CLI command to update a policy to allow read-only access to a CloudFront OAC +###### Example : AWS CLI command to update a policy to allow read-only access for a CloudFront distribution with OAC enabled @@ -257 +257 @@ The template demonstrates how to handle signed payload hash values in the x-amz- - * Supports file uploads by using multipart form data + * Supports file uploads by using multi-part form data