AWS config high security documentation change
Summary
Added note requiring fixed values in Lambda resource policies
Security assessment
Mitigates risk of unintended public access by restricting policy variables that could create broad permissions
Diff
diff --git a/config/latest/developerguide/lambda-function-public-access-prohibited.md b/config/latest/developerguide/lambda-function-public-access-prohibited.md index da709bff2..7e01b435a 100644 --- a//config/latest/developerguide/lambda-function-public-access-prohibited.md +++ b//config/latest/developerguide/lambda-function-public-access-prohibited.md @@ -16,0 +17,4 @@ The rule is also `NON_COMPLIANT` if a Lambda function is invoked from Amazon S3, +###### Note + +To be considered non-public, a Lambda resource-based policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). +