AWS transfer high security documentation change
Summary
Replaced policy description with explicit JSON example for Lambda resource policy
Security assessment
The concrete policy example explicitly limits Lambda invocation to Transfer Family and API Gateway services, preventing potential unauthorized access. Missing or incorrect resource policies could lead to privilege escalation vulnerabilities.
Diff
diff --git a/transfer/latest/userguide/configuring-servers-edit-custom-idp.md b/transfer/latest/userguide/configuring-servers-edit-custom-idp.md index 0da1c4f69..6a4226c4f 100644 --- a//transfer/latest/userguide/configuring-servers-edit-custom-idp.md +++ b//transfer/latest/userguide/configuring-servers-edit-custom-idp.md @@ -127 +127,19 @@ Example resource policy for direct Lambda integration: -This resource-based policy allows AWS Transfer Family and services to invoke a specified AWS Lambda function for identity provider operations. +**** + + + + { + "Version":"2012-10-17", + "Statement": [{ + "Effect": "Allow", + "Principal": { + "Service": [ + "transfer.amazonaws.com", + "apigateway.amazonaws.com" + ] + }, + "Action": "lambda:InvokeFunction", + "Resource": "arn:aws:lambda:us-east-1:123456789012:function:function-name" + }] + } +