AWS AmazonCloudFront high security documentation change
Summary
Added AWS CLI command for lambda:InvokeFunction permission in resource-based policy
Security assessment
Fixes incomplete permission configuration documentation that could lead to authorization failures or insecure access patterns for CloudFront-Lambda integration.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md index 9b011fed6..52d9136bc 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md +++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md @@ -57 +57 @@ The following AWS CLI command grants the CloudFront service principal (`cloudfro -The following AWS CLI command allows the CloudFront distribution (``E1PDK09ESKHJWT``) access your Lambda ``FUNCTION_URL_NAME``. +The following AWS CLI commands allows the CloudFront distribution (``E1PDK09ESKHJWT``) access to your Lambda ``FUNCTION_URL_NAME``. @@ -66,0 +67,8 @@ The following AWS CLI command allows the CloudFront distribution (``E1PDK09ESKHJ + + aws lambda add-permission \ + --statement-id "AllowCloudFrontServicePrincipalInvokeFunction" \ + --action "lambda:InvokeFunction" \ + --principal "cloudfront.amazonaws.com" \ + --source-arn "arn:aws:cloudfront::123456789012:distribution/E1PDK09ESKHJWT" \ + --function-name FUNCTION_URL_NAME +