AWS Security ChangesHomeSearch

AWS transfer high security documentation change

Service: transfer · 2025-10-16 · Security-related high

File: transfer/latest/userguide/configuring-servers-edit-custom-idp.md

Summary

Replaced policy description with explicit JSON example for Lambda resource policy

Security assessment

The concrete policy example explicitly limits Lambda invocation to Transfer Family and API Gateway services, preventing potential unauthorized access. Missing or incorrect resource policies could lead to privilege escalation vulnerabilities.

Diff

diff --git a/transfer/latest/userguide/configuring-servers-edit-custom-idp.md b/transfer/latest/userguide/configuring-servers-edit-custom-idp.md
index 0da1c4f69..6a4226c4f 100644
--- a//transfer/latest/userguide/configuring-servers-edit-custom-idp.md
+++ b//transfer/latest/userguide/configuring-servers-edit-custom-idp.md
@@ -127 +127,19 @@ Example resource policy for direct Lambda integration:
-This resource-based policy allows AWS Transfer Family and services to invoke a specified AWS Lambda function for identity provider operations.
+****
+    
+    
+    
+    {
+       "Version":"2012-10-17",		 	 	 
+       "Statement": [{
+          "Effect": "Allow",
+          "Principal": {
+             "Service": [
+                "transfer.amazonaws.com",
+                "apigateway.amazonaws.com"
+             ]
+          },
+          "Action": "lambda:InvokeFunction",
+          "Resource": "arn:aws:lambda:us-east-1:123456789012:function:function-name"
+       }]
+    }
+