AWS AmazonCloudFront high security documentation change
Summary
Added lambda:InvokeFunction permission requirement for OAC with Lambda origins
Security assessment
Corrects required permissions for secure origin access control, addressing potential authorization gaps in Lambda function invocation security configuration.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.md b/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.md index 6996670c2..8343af813 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.md +++ b//AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.md @@ -559 +559 @@ When you use a Lambda function URL as the origin for a CloudFront distribution, - * If you use origin access control (OAC), the `AuthType` parameter of the Lambda function URL must use the `AWS_IAM` value and allow the `lambda:InvokeFunctionUrl` permission in a resource-based policy. For more information about using Lambda function URLs for OAC, see [Restrict access to an AWS Lambda function URL origin](./private-content-restricting-access-to-lambda.html). + * If you use origin access control (OAC), the `AuthType` parameter of the Lambda function URL must use the `AWS_IAM` value and allow the `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions in a resource-based policy. For more information about using Lambda function URLs for OAC, see [Restrict access to an AWS Lambda function URL origin](./private-content-restricting-access-to-lambda.html).