AWS lambda documentation change
Summary
Expanded documentation to list configuration changes that trigger Lambda version publication and clarify version immutability
Security assessment
This is a functional documentation update about versioning mechanics. While versioning supports auditability (a security-adjacent concern), there is no direct evidence of a security issue being addressed.
Diff
diff --git a/lambda/latest/dg/configuration-versions.md b/lambda/latest/dg/configuration-versions.md index 15d85e730..8e98501cf 100644 --- a//lambda/latest/dg/configuration-versions.md +++ b//lambda/latest/dg/configuration-versions.md @@ -106,0 +107,2 @@ If you decide not to publish function versions, you can invoke the function usin +The qualified ARN for each Lambda function version is unique. After you publish a version, you can't change the ARN or the function code. + @@ -109 +111,42 @@ Lambda publishes a new function version only if the code has never been publishe -The qualified ARN for each Lambda function version is unique. After you publish a version, you can't change the ARN or the function code. +When you publish a version, Lambda creates an immutable snapshot of your function's code and configuration. Not all configuration changes trigger the publication of a new version. The following configuration changes qualify a function for version publication: + + * Function code + + * Environment variables + + * Runtime + + * Handler + + * Layers + + * Memory size + + * Timeout + + * VPC configuration + + * Dead Letter Queue (DLQ) configuration + + * IAM role + + * Description + + * Architecture (x86_64 or arm64) + + * Ephemeral storage size + + * Package type + + * Logging configuration + + * File system configuration + + * SnapStart + + * Tracing configuration + + + + +Operational settings such as [reserved concurrency](./configuration-concurrency.html) don't trigger the publication of a new version when changed.