AWS Security ChangesHomeSearch

AWS AmazonCloudFront high security documentation change

Service: AmazonCloudFront · 2025-11-07 · Security-related high

File: AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md

Summary

Added AWS CLI command for lambda:InvokeFunction permission in resource-based policy

Security assessment

Fixes incomplete permission configuration documentation that could lead to authorization failures or insecure access patterns for CloudFront-Lambda integration.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md
index 9b011fed6..52d9136bc 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md
@@ -57 +57 @@ The following AWS CLI command grants the CloudFront service principal (`cloudfro
-The following AWS CLI command allows the CloudFront distribution (``E1PDK09ESKHJWT``) access your Lambda ``FUNCTION_URL_NAME``.
+The following AWS CLI commands allows the CloudFront distribution (``E1PDK09ESKHJWT``) access to your Lambda ``FUNCTION_URL_NAME``.
@@ -66,0 +67,8 @@ The following AWS CLI command allows the CloudFront distribution (``E1PDK09ESKHJ
+    
+    aws lambda add-permission \
+    --statement-id "AllowCloudFrontServicePrincipalInvokeFunction" \
+    --action "lambda:InvokeFunction" \
+    --principal "cloudfront.amazonaws.com" \
+    --source-arn "arn:aws:cloudfront::123456789012:distribution/E1PDK09ESKHJWT" \
+    --function-name FUNCTION_URL_NAME
+