AWS Security ChangesHomeSearch

AWS AmazonCloudFront high security documentation change

Service: AmazonCloudFront · 2025-11-07 · Security-related high

File: AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.md

Summary

Added lambda:InvokeFunction permission requirement for OAC with Lambda origins

Security assessment

Corrects required permissions for secure origin access control, addressing potential authorization gaps in Lambda function invocation security configuration.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.md b/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.md
index 6996670c2..8343af813 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.md
@@ -559 +559 @@ When you use a Lambda function URL as the origin for a CloudFront distribution,
-  * If you use origin access control (OAC), the `AuthType` parameter of the Lambda function URL must use the `AWS_IAM` value and allow the `lambda:InvokeFunctionUrl` permission in a resource-based policy. For more information about using Lambda function URLs for OAC, see [Restrict access to an AWS Lambda function URL origin](./private-content-restricting-access-to-lambda.html).
+  * If you use origin access control (OAC), the `AuthType` parameter of the Lambda function URL must use the `AWS_IAM` value and allow the `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions in a resource-based policy. For more information about using Lambda function URLs for OAC, see [Restrict access to an AWS Lambda function URL origin](./private-content-restricting-access-to-lambda.html).