AWS lambda documentation change
Summary
Added an example trust policy showing how to grant Lambda permission to assume an execution role by specifying the Lambda service principal (lambda.amazonaws.com).
Security assessment
This change adds documentation about IAM trust policies for Lambda execution roles, which is a security best practice. It clarifies the required trust relationship to ensure only the Lambda service can assume the role, but there is no evidence it addresses a specific security vulnerability or incident.
Diff
diff --git a/lambda/latest/dg/durable-security.md b/lambda/latest/dg/durable-security.md index a34933142..2e3e27ec5 100644 --- a//lambda/latest/dg/durable-security.md +++ b//lambda/latest/dg/durable-security.md @@ -31,0 +32,16 @@ When you create a durable function using the console, Lambda automatically adds +For Lambda to assume your execution role, the role's trust policy must specify the Lambda service principal (`lambda.amazonaws.com`) as a trusted service. The following example shows a trust policy that grants Lambda permission to assume the role. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } +