AWS Security ChangesHomeSearch

AWS lambda high security documentation change

Service: lambda · 2025-10-13 · Security-related high

File: lambda/latest/dg/urls-invocation.md

Summary

Added requirement for `lambda:InvokeFunction` permission alongside `lambda:InvokeFunctionUrl` to invoke function URLs.

Security assessment

The change explicitly adds a new required permission (`lambda:InvokeFunction`), tightening access control for function URL invocations. This suggests a potential prior misconfiguration where unauthorized users could invoke functions without full permissions, addressing a security gap.

Diff

diff --git a/lambda/latest/dg/urls-invocation.md b/lambda/latest/dg/urls-invocation.md
index a6ff66380..efb118d0c 100644
--- a//lambda/latest/dg/urls-invocation.md
+++ b//lambda/latest/dg/urls-invocation.md
@@ -24 +24 @@ Function URLs are not supported in the following AWS Regions: Asia Pacific (Hyde
-Function URLs are dual stack-enabled, supporting IPv4 and IPv6. After configuring your function URL, you can invoke your function through its HTTP(S) endpoint via a web browser, curl, Postman, or any HTTP client. To invoke a function URL, you must have `lambda:InvokeFunctionUrl` permissions. For more information, see [Access control](./urls-auth.html).
+Function URLs are dual stack-enabled, supporting IPv4 and IPv6. After configuring your function URL, you can invoke your function through its HTTP(S) endpoint via a web browser, curl, Postman, or any HTTP client. To invoke a function URL, you must have `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions. For more information, see [Access control](./urls-auth.html).