AWS amazondynamodb documentation change
Summary
Added cross-account Lambda trigger support documentation with resource-based policy guidance.
Security assessment
Documents secure cross-account access configuration using resource-based policies. While not fixing a vulnerability, it adds security-relevant documentation for access control.
Diff
diff --git a/amazondynamodb/latest/developerguide/Streams.Lambda.md b/amazondynamodb/latest/developerguide/Streams.Lambda.md index 41cf8a553..2411d0f85 100644 --- a//amazondynamodb/latest/developerguide/Streams.Lambda.md +++ b//amazondynamodb/latest/developerguide/Streams.Lambda.md @@ -34 +34 @@ As performance best practices, the Lambda function needs to be short lived. To a -You cannot use the same Lambda trigger across different AWS accounts. Both the DynamoDB table and the Lambda functions must belong to the same AWS account. +You can use Lambda triggers across different AWS accounts by configuring a resource-based policy on the DynamoDB stream to grant the cross-account read access to Lambda function. To learn more about how to configure your stream to allow cross-account access, see [Share access with cross-account AWS Lambda functions](./rbac-cross-account-access.html#shared-access-cross-acount-lambda) in the DynamoDB Developer Guide.