AWS apigateway documentation change
Summary
Added clarification about cached policy documents when using Lambda authorizers with caching
Security assessment
The change highlights caching behavior that could lead to stale authorization policies being used, but does not indicate a specific vulnerability being patched. It improves security documentation by raising awareness of caching implications.
Diff
diff --git a/apigateway/latest/developerguide/apigateway-authorization-flow.md b/apigateway/latest/developerguide/apigateway-authorization-flow.md index ac1b7f7ae..ae8bfe3c3 100644 --- a//apigateway/latest/developerguide/apigateway-authorization-flow.md +++ b//apigateway/latest/developerguide/apigateway-authorization-flow.md @@ -61 +61 @@ JSON -In this workflow, a Lambda authorizer is configured for the API in addition to a resource policy. The resource policy is evaluated in two phases. Before calling the Lambda authorizer, API Gateway first evaluates the policy and checks for any explicit denials. If found, the caller is denied access immediately. Otherwise, the Lambda authorizer is called, and it returns a [policy document](./api-gateway-lambda-authorizer-output.html), which is evaluated in conjunction with the resource policy. The result is determined based on Table A. +In this workflow, a Lambda authorizer is configured for the API in addition to a resource policy. The resource policy is evaluated in two phases. Before calling the Lambda authorizer, API Gateway first evaluates the policy and checks for any explicit denials. If found, the caller is denied access immediately. Otherwise, the Lambda authorizer is called, and it returns a [policy document](./api-gateway-lambda-authorizer-output.html), which is evaluated in conjunction with the resource policy. If your authorizer uses caching, API Gateway might return the cached policy document. The result is determined based on Table A.