AWS lambda medium security documentation change
Summary
Updated authentication documentation with expanded security permissions requirements for MSK integrations. Added schema registry authentication details, clarified secret management, and enhanced IAM permission explanations.
Security assessment
The changes explicitly document required security controls including SCRAM secret access, mTLS certificate retrieval, KMS decryption for encrypted filters, and schema registry authentication methods. Added details about Secrets Manager permissions and certificate validation for private CAs demonstrate security-focused configuration guidance. These changes help prevent misconfigurations that could lead to unauthorized access or data exposure.
Diff
diff --git a/lambda/latest/dg/with-msk-permissions.md b/lambda/latest/dg/with-msk-permissions.md index db791e01b..b657c62eb 100644 --- a//lambda/latest/dg/with-msk-permissions.md +++ b//lambda/latest/dg/with-msk-permissions.md @@ -87 +87 @@ Your Lambda function might also need permissions to: - * Access your SCRAM secret, if you're using [SASL/SCRAM authentication](./with-msk-configure.html#msk-sasl-scram). + * Access your SCRAM secret, if you're using [SASL/SCRAM authentication](./msk-cluster-auth.html#msk-sasl-scram). This lets your function use a username and password to connect to Kafka. @@ -89 +89 @@ Your Lambda function might also need permissions to: - * Describe your Secrets Manager secret, if you're using SASL/SCRAM or [mTLS authentication](./with-msk-configure.html#msk-mtls). + * Describe your Secrets Manager secret, if you're using SASL/SCRAM or [mTLS authentication](./msk-cluster-auth.html#msk-mtls). This allows your function to retrieve the credentials or certificates needed for secure connections. @@ -91 +91,9 @@ Your Lambda function might also need permissions to: - * Access your AWS KMS customer-managed key, if you want to [encrypt your filter criteria](./invocation-eventfiltering.html). + * Access your AWS KMS customer-managed key, if you want to [encrypt your filter criteria](./invocation-eventfiltering.html). This helps keep your message filtering rules secret. + + * Access your schema registry secrets, if you're using a schema registry with authentication: + + * For AWS Glue Schema Registry: Your function needs `glue:GetRegistry` and `glue:GetSchemaVersion` permissions. These allow your function to look up and use the message format rules stored in AWS Glue. + + * For [Confluent Schema Registry](https://docs.confluent.io/platform/current/schema-registry/security/index.html) with `BASIC_AUTH` or `CLIENT_CERTIFICATE_TLS_AUTH`: Your function needs `secretsmanager:GetSecretValue` permission for the secret containing the authentication credentials. This lets your function retrieve the username/password or certificates needed to access the Confluent Schema Registry. + + * For private CA certificates: Your function needs secretsmanager:GetSecretValue permission for the secret containing the certificate. This allows your function to verify the identity of schema registries that use custom certificates. @@ -98 +106,5 @@ These correspond to the following required permissions: - * [kafka:ListScramSecrets](https://docs.aws.amazon.com/MSK/latest/APIReference/API_ListScramSecrets.html) + * [kafka:ListScramSecrets](https://docs.aws.amazon.com/MSK/latest/APIReference/API_ListScramSecrets.html) \- Allows listing of SCRAM secrets for Kafka authentication + + * [secretsmanager:GetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html) \- Enables retrieval of secrets from Secrets Manager + + * [kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) \- Permits decryption of encrypted data using AWS KMS @@ -100 +112 @@ These correspond to the following required permissions: - * [secretsmanager:GetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html) + * [glue:GetRegistry](https://docs.aws.amazon.com/glue/latest/webapi/API_GetRegistry.html) \- Allows access to AWS Glue Schema Registry @@ -102 +114 @@ These correspond to the following required permissions: - * [kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) + * [glue:GetSchemaVersion](https://docs.aws.amazon.com/glue/latest/webapi/API_GetSchemaVersion.html) \- Enables retrieval of specific schema versions from AWS Glue Schema Registry @@ -109 +121 @@ Additionally, if you want to send records of failed invocations to an on-failure - * For Amazon SQS destinations: [sqs:SendMessage](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html) + * For Amazon SQS destinations: [sqs:SendMessage](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html) \- Allows sending messages to an Amazon SQS queue @@ -111 +123 @@ Additionally, if you want to send records of failed invocations to an on-failure - * For Amazon SNS destinations: [sns:Publish](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) + * For Amazon SNS destinations: [sns:Publish](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) \- Permits publishing messages to an Amazon SNS topic @@ -113 +125 @@ Additionally, if you want to send records of failed invocations to an on-failure - * For Amazon S3 bucket destinations: [s3:PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) and [s3:ListBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBucket.html) + * For Amazon S3 bucket destinations: [s3:PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) and [s3:ListBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBucket.html) \- Enables writing and listing objects in an Amazon S3 bucket @@ -120 +132 @@ Additionally, if you want to send records of failed invocations to an on-failure -If any of the permissions required to consume data from the Amazon MSK cluster are missing, Lambda displays one of the following error messages in the event source mapping under **LastProcessingResult**. For more information about each supported authentication method, see [Configuring cluster authentication methods](./with-msk-configure.html#msk-cluster-auth). +If any of the permissions required to consume data from the Amazon MSK cluster are missing, Lambda displays one of the following error messages in the event source mapping under **LastProcessingResult**. For more information about each supported authentication method, see [Configuring cluster authentication methods in Lambda](./msk-cluster-auth.html). @@ -181 +193 @@ This error indicates that the Amazon MSK Kafka brokers failed to authenticate wi -This error indicates that the Amazon MSK consumer couldn't use the provided certificate or private key. Make sure that the certificate and key use PEM format, and that the private key encryption uses a PBES1 algorithm. See [Configuring the mTLS secret](./with-msk-configure.html#mtls-auth-secret) for more information. +This error indicates that the Amazon MSK consumer couldn't use the provided certificate or private key. Make sure that the certificate and key use PEM format, and that the private key encryption uses a PBES1 algorithm. See [Configuring the mTLS secret](./msk-cluster-auth.html#mtls-auth-secret) for more information. @@ -189 +201 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Configure event source +event source configuration parameters