AWS securityhub medium security documentation change
Summary
Updated title and added note about Lambda policy condition restrictions for PASSED findings
Security assessment
The added note highlights security requirements for Lambda resource policies, specifically prohibiting wildcards/variables in conditions to prevent overpermissive access. This addresses potential privilege escalation risks.
Diff
diff --git a/securityhub/latest/userguide/lambda-controls.md b/securityhub/latest/userguide/lambda-controls.md index 8fc905899..547d4a88f 100644 --- a//securityhub/latest/userguide/lambda-controls.md +++ b//securityhub/latest/userguide/lambda-controls.md @@ -7 +7 @@ -# Security Hub controls for Lambda +# Security Hub controls for AWS Lambda @@ -28,0 +29,4 @@ This control checks whether the Lambda function resource-based policy prohibits +###### Note + +This control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the policy for the Lambda function must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_. +