AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-06-04 · Security-related medium

File: securityhub/latest/userguide/lambda-controls.md

Summary

Updated title and added note about Lambda policy condition restrictions for PASSED findings

Security assessment

The added note highlights security requirements for Lambda resource policies, specifically prohibiting wildcards/variables in conditions to prevent overpermissive access. This addresses potential privilege escalation risks.

Diff

diff --git a/securityhub/latest/userguide/lambda-controls.md b/securityhub/latest/userguide/lambda-controls.md
index 8fc905899..547d4a88f 100644
--- a//securityhub/latest/userguide/lambda-controls.md
+++ b//securityhub/latest/userguide/lambda-controls.md
@@ -7 +7 @@
-# Security Hub controls for Lambda
+# Security Hub controls for AWS Lambda
@@ -28,0 +29,4 @@ This control checks whether the Lambda function resource-based policy prohibits
+###### Note
+
+This control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the policy for the Lambda function must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_.
+