AWS Security ChangesHomeSearch

AWS security-lake documentation change

Service: security-lake · 2026-02-19 · Documentation low

File: security-lake/latest/userguide/security-iam-awsmanpol.md

Summary

Updated service-linked role documentation to include permission for deleting deprecated Lambda functions and added detailed permissions breakdown for SecurityLakeResourceManagementServiceRolePolicy

Security assessment

The change documents IAM policy updates including new lambda:DeleteFunction permission for cleanup of deprecated functions, but doesn't reference any specific vulnerability or security incident. It enhances security transparency by detailing permissions.

Diff

diff --git a/security-lake/latest/userguide/security-iam-awsmanpol.md b/security-lake/latest/userguide/security-iam-awsmanpol.md
index be0c4eafd..b3e95663b 100644
--- a//security-lake/latest/userguide/security-iam-awsmanpol.md
+++ b//security-lake/latest/userguide/security-iam-awsmanpol.md
@@ -141 +141 @@ You can't attach the `SecurityLakeServiceLinkedRole` managed policy to your IAM
-Security Lake uses the service-linked role named `AWSServiceRoleForSecurityLakeResourceManagement` to perform ongoing monitoring and performance improvements, which can reduce latency and costs.
+Security Lake uses the service-linked role named `AWSServiceRoleForSecurityLakeResourceManagement` to perform ongoing monitoring and performance improvements, which can reduce latency and costs. Provides access to manage resources created by Security Lake. Grants Security Lake the ability to delete SecurityLake_Glue_Partition_Updater_Lambda. This lambda has been deprecated for customers that have performed iceberg migration and moved on to v2 sources. This lambda was using Python 3.9 runtime which will be deprecated in December. Rather than updating the runtime for this lambda for those customers, it would be better to delete them. We have a recovery process that will determine if the customer still needs the lambda or not and delete them if they do not. This SLR update is required in order to allow us to delete that lambda.
@@ -144,0 +145,23 @@ You can't attach the `SecurityLakeResourceManagementServiceRolePolicy` managed p
+**Permissions details**
+
+This policy includes the following permissions.
+
+  * `events` – Allows principals to list and manage EventBridge rules for Security Lake event processing.
+
+  * `lambda` – Allows principals to manage Lambda functions and configurations for Security Lake metadata processing, including the ability to delete deprecated partition updater functions.
+
+  * `glue` – Allows principals to create partitions, manage tables, and access databases in the AWS Glue Data Catalog for Security Lake metadata management.
+
+  * `s3` – Allows principals to manage Amazon S3 bucket configurations, lifecycle policies, and metadata objects for Security Lake data lake operations.
+
+  * `logs` – Allows principals to access CloudWatch Logs streams and query log data for Security Lake Lambda functions.
+
+  * `sqs` – Allows principals to manage Amazon SQS queues and messages for Security Lake data processing workflows.
+
+  * `lakeformation` – Allows principals to retrieve data lake settings and permissions for Security Lake resource management.
+
+
+
+
+To view more details about the policy, including the latest version of the JSON policy document, see [SecurityLakeResourceManagementServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityLakeResourceManagementServiceRolePolicy.html) in the _AWS Managed Policy Reference Guide_.
+
@@ -156,0 +180 @@ Change | Description | Date
+SecurityLakeResourceManagementServiceRolePolicy – Updated existing policy |  Security Lake updated the managed policy `SecurityLakeResourceManagementServiceRolePolicy` to add `lambda:DeleteFunction` permission for deprecated SecurityLake_Glue_Partition_Updater_Lambda functions. This allows Security Lake to clean up deprecated Lambda functions as part of the migration to v2 sources and iceberg format. |  November 18, 2025