AWS lambda high security documentation change
Summary
Added requirement for `lambda:InvokeFunction` permission alongside `lambda:InvokeFunctionUrl` to invoke function URLs.
Security assessment
The change explicitly adds a new required permission (`lambda:InvokeFunction`), tightening access control for function URL invocations. This suggests a potential prior misconfiguration where unauthorized users could invoke functions without full permissions, addressing a security gap.
Diff
diff --git a/lambda/latest/dg/urls-invocation.md b/lambda/latest/dg/urls-invocation.md index a6ff66380..efb118d0c 100644 --- a//lambda/latest/dg/urls-invocation.md +++ b//lambda/latest/dg/urls-invocation.md @@ -24 +24 @@ Function URLs are not supported in the following AWS Regions: Asia Pacific (Hyde -Function URLs are dual stack-enabled, supporting IPv4 and IPv6. After configuring your function URL, you can invoke your function through its HTTP(S) endpoint via a web browser, curl, Postman, or any HTTP client. To invoke a function URL, you must have `lambda:InvokeFunctionUrl` permissions. For more information, see [Access control](./urls-auth.html). +Function URLs are dual stack-enabled, supporting IPv4 and IPv6. After configuring your function URL, you can invoke your function through its HTTP(S) endpoint via a web browser, curl, Postman, or any HTTP client. To invoke a function URL, you must have `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions. For more information, see [Access control](./urls-auth.html).