AWS Security ChangesHomeSearch

AWS config high security documentation change

Service: config · 2025-05-31 · Security-related high

File: config/latest/developerguide/lambda-function-public-access-prohibited.md

Summary

Added note requiring fixed values in Lambda resource policies

Security assessment

Mitigates risk of unintended public access by restricting policy variables that could create broad permissions

Diff

diff --git a/config/latest/developerguide/lambda-function-public-access-prohibited.md b/config/latest/developerguide/lambda-function-public-access-prohibited.md
index da709bff2..7e01b435a 100644
--- a//config/latest/developerguide/lambda-function-public-access-prohibited.md
+++ b//config/latest/developerguide/lambda-function-public-access-prohibited.md
@@ -16,0 +17,4 @@ The rule is also `NON_COMPLIANT` if a Lambda function is invoked from Amazon S3,
+###### Note
+
+To be considered non-public, a Lambda resource-based policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).
+