AWS lambda medium security documentation change
Summary
Updated IAM policy documentation for VPC access, clarified resource requirements for custom policies, and added JSON section breaks
Security assessment
The change explicitly requires allowing all resources ('Resource': '*') for critical EC2 actions like DescribeNetworkInterfaces and DeleteNetworkInterface in custom IAM policies. This addresses potential misconfigurations where overly restrictive policies could prevent Lambda from managing network interfaces, which might lead to resource leaks or function failures. However, there's no explicit mention of a security vulnerability being patched.
Diff
diff --git a/lambda/latest/dg/configuration-vpc.md b/lambda/latest/dg/configuration-vpc.md index 589b82bd1..278abc24c 100644 --- a//lambda/latest/dg/configuration-vpc.md +++ b//lambda/latest/dg/configuration-vpc.md @@ -42 +42 @@ The network interfaces that Lambda creates are known as Hyperplane Elastic Netwo -You can give your function the permissions it needs by attaching the AWS [managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) **AWSLambdaVPCAccessExecutionRole** to your function's execution role. When you create a new function in the Lambda console and attach it to a VPC, Lambda automatically adds this permissions policy for you. +You can give your function the permissions it needs by attaching the AWS managed policy [AWSLambdaVPCAccessExecutionRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaVPCAccessExecutionRole.html) to your function's execution role. When you create a new function in the Lambda console and attach it to a VPC, Lambda automatically adds this permissions policy for you. @@ -44 +44 @@ You can give your function the permissions it needs by attaching the AWS [manage -If you prefer to create your own IAM permissions policy, make sure to add all of the following permissions: +If you prefer to create your own IAM permissions policy, make sure to add all of the following permissions and allow them on all resources (`"Resource": "*"`): @@ -46 +46 @@ If you prefer to create your own IAM permissions policy, make sure to add all of - * **ec2:CreateNetworkInterface** + * ec2:CreateNetworkInterface @@ -48 +48 @@ If you prefer to create your own IAM permissions policy, make sure to add all of - * **ec2:DescribeNetworkInterfaces** – This action only works if it's allowed on all resources (`"Resource": "*"`). + * ec2:DescribeNetworkInterfaces @@ -50 +50 @@ If you prefer to create your own IAM permissions policy, make sure to add all of - * **ec2:DescribeSubnets** + * ec2:DescribeSubnets @@ -52 +52 @@ If you prefer to create your own IAM permissions policy, make sure to add all of - * **ec2:DeleteNetworkInterface** – If you don't specify a resource ID for **DeleteNetworkInterface** in the execution role, your function may not be able to access the VPC. Either specify a unique resource ID, or include all resource IDs, for example, `"Resource": "arn:aws:ec2:us-west-2:123456789012:*/*"`. + * ec2:DeleteNetworkInterface @@ -54 +54 @@ If you prefer to create your own IAM permissions policy, make sure to add all of - * **ec2:AssignPrivateIpAddresses** + * ec2:AssignPrivateIpAddresses @@ -56 +56 @@ If you prefer to create your own IAM permissions policy, make sure to add all of - * **ec2:UnassignPrivateIpAddresses** + * ec2:UnassignPrivateIpAddresses @@ -399,0 +400,6 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of +JSON + + +**** + + @@ -463,0 +471,6 @@ To allow users to access specific VPCs, use `StringEquals` to check the value of +JSON + + +**** + +