AWS Security ChangesHomeSearch

AWS lambda documentation change

Service: lambda · 2026-02-28 · Documentation low

File: lambda/latest/dg/lambda-intro-execution-role.md

Summary

Updated documentation about configuring Lambda execution roles in the console, including steps to create/select roles directly in Lambda interface rather than IAM console. Added UI-specific instructions like 'Create default role' and 'Use another role' options.

Security assessment

The changes emphasize using AWS-managed policies and proper role configuration, promoting security best practices like least-privilege permissions. However, there is no evidence of addressing a specific security vulnerability - this is a procedural documentation update about role management workflows.

Diff

diff --git a/lambda/latest/dg/lambda-intro-execution-role.md b/lambda/latest/dg/lambda-intro-execution-role.md
index 1345459e1..c5db03f36 100644
--- a//lambda/latest/dg/lambda-intro-execution-role.md
+++ b//lambda/latest/dg/lambda-intro-execution-role.md
@@ -34 +34 @@ In order for Lambda to properly assume your execution role, the role's trust pol
-By default, Lambda creates an execution role with minimal permissions when you [create a function in the Lambda console](./getting-started.html#getting-started-create-function). Specifically, this execution role includes the [`AWSLambdaBasicExecutionRole` managed policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaBasicExecutionRole.html), which gives your function basic permissions to log events to Amazon CloudWatch Logs.
+By default, Lambda creates an execution role with minimal permissions when you [create a function in the Lambda console](./getting-started.html#getting-started-create-function). Specifically, this execution role includes the [`AWSLambdaBasicExecutionRole` managed policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaBasicExecutionRole.html), which gives your function basic permissions to log events to Amazon CloudWatch Logs. You can select **Create default role** in the **Permissions** section.
@@ -36 +36 @@ By default, Lambda creates an execution role with minimal permissions when you [
-Your functions typically need additional permissions to perform more meaningful tasks. For example, you might have a Lambda function that responds to an event by updating entries in an Amazon DynamoDB database. You can create an execution role with the necessary permissions using the IAM console.
+You can choose an existing role by selecting **Use another role** in the **Permissions** section. If your Lambda function needs additional permissions to perform tasks such as updating entries in an Amazon DynamoDB database in response to events, you can create a custom execution role with the necessary permissions. To do this, select **Use another role** in the **Permissions** section, which opens a drawer where you can customize your permissions.
@@ -38 +38 @@ Your functions typically need additional permissions to perform more meaningful
-###### To create an execution role in the IAM console
+###### To configure an execution role from Console
@@ -40 +40 @@ Your functions typically need additional permissions to perform more meaningful
-  1. Open the [Roles page](https://console.aws.amazon.com/iam/home#/roles) in the IAM console.
+  1. Enter a **role name** in the Role details section.
@@ -42 +42 @@ Your functions typically need additional permissions to perform more meaningful
-  2. Choose **Create role**.
+  2. In the **Policy** section, select **Use existing policy**.
@@ -44 +44 @@ Your functions typically need additional permissions to perform more meaningful
-  3. Under **Trusted entity type** , choose **AWS service**.
+  3. Select the AWS managed policies that you want to attach to your role. For example, if your function needs to access DynamoDB, select the **AWSLambdaDynamoDBExecutionRole** managed policy.
@@ -46 +46 @@ Your functions typically need additional permissions to perform more meaningful
-  4. Under **Use case** , choose **Lambda**.
+  4. Choose **Create role**.
@@ -48 +47,0 @@ Your functions typically need additional permissions to perform more meaningful
-  5. Choose **Next**.
@@ -50 +48,0 @@ Your functions typically need additional permissions to perform more meaningful
-  6. Select the AWS managed policies that you want to attach to your role. For example, if your function needs to access DynamoDB, select the **AWSLambdaDynamoDBExecutionRole** managed policy.
@@ -52 +49,0 @@ Your functions typically need additional permissions to perform more meaningful
-  7. Choose **Next**.
@@ -54,8 +51 @@ Your functions typically need additional permissions to perform more meaningful
-  8. Enter a **Role name** and then choose **Create role**.
-
-
-
-
-For detailed instructions, see [Creating a role for an AWS service (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) in the _IAM User Guide_.
-
-After you create your execution role, attach it to your function. When you [create a function in the Lambda console](./getting-started.html#getting-started-create-function), you can attach any execution role that you previously created to the function. If you want to attach a new execution role to an existing function, follow the steps in [Updating a function's execution role](./permissions-executionrole-update.html#update-execution-role).
+Alternatively, when you [create a function in the Lambda console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html#getting-started-create-function), you can attach any execution role that you previously created to the function. If you want to attach a new execution role to an existing function, follow the steps in [Updating a function's execution role](./permissions-executionrole-update.html).