AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-10-13 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-permission.md

Summary

Added FunctionUrlAuthContext property and updated links to Lambda URL security documentation

Security assessment

New FunctionUrlAuthContext property restricts invocation sources to function URLs only, addressing potential unauthorized invocation methods. This change introduces explicit security controls for function access patterns.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-permission.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-permission.md
index 064e2a6d7..1aab8e65e 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-permission.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-permission.md
@@ -13 +13 @@ To grant permission to another account, specify the account ID as the `Principal
-If your function has a function URL, you can specify the `FunctionUrlAuthType` parameter. This adds a condition to your permission that only applies when your function URL's `AuthType` matches the specified `FunctionUrlAuthType`. For more information about the `AuthType` parameter, see [ Security and auth model for Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html).
+If your function has a function URL, you can specify the `FunctionUrlAuthType` parameter. This adds a condition to your permission that only applies when your function URL's `AuthType` matches the specified `FunctionUrlAuthType`. For more information about the `AuthType` parameter, see [Control access to Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html).
@@ -125 +125 @@ _Minimum_ : `1`
-The type of authentication that your function URL uses. Set to `AWS_IAM` if you want to restrict access to authenticated users only. Set to `NONE` if you want to bypass IAM authentication to create a public endpoint. For more information, see [Security and auth model for Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html).
+The type of authentication that your function URL uses. Set to `AWS_IAM` if you want to restrict access to authenticated users only. Set to `NONE` if you want to bypass IAM authentication to create a public endpoint. For more information, see [Control access to Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html).
@@ -138 +138 @@ _Required_ : No
-Property description not available.
+Restricts the `lambda:InvokeFunction` action to calls coming from a function URL. When set to `true`, this prevents the principal from invoking the function by any means other than the function URL. For more information, see [Control access to Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html).