AWS Security ChangesHomeSearch

AWS AmazonElastiCache high security documentation change

Service: AmazonElastiCache · 2026-06-07 · Security-related high

File: AmazonElastiCache/latest/dg/LambdaRedis.md

Summary

Updated IAM trust policy to restrict Lambda service assumption, added mandatory IAM authentication requirements, and reconfigured user creation steps for secure access.

Security assessment

The change tightens IAM policies (from wildcard resources to explicit Lambda service principal) and mandates IAM authentication configuration to prevent unauthorized access. The added warning emphasizes that missing this configuration causes connection failures, addressing potential authentication vulnerabilities.

Diff

diff --git a/AmazonElastiCache/latest/dg/LambdaRedis.md b/AmazonElastiCache/latest/dg/LambdaRedis.md
index 31e63a1f1..8ffbbf1eb 100644
--- a//AmazonElastiCache/latest/dg/LambdaRedis.md
+++ b//AmazonElastiCache/latest/dg/LambdaRedis.md
@@ -54,7 +54 @@ Copy the Endpoint Address shown in the output. You'll need this address when you
-  1. Create an IAM trust policy document, as shown below, for your role that allows your account to assume the new role. Save the policy to a file named _trust-policy.json_.
-
-JSON
-    
-
-****
-    
+  1. Create an IAM trust policy document, as shown below, for your role that allows the Lambda service to assume the new role. Save the policy to a file named _trust-policy.json_.
@@ -66,7 +60,2 @@ JSON
-            "Action": "sts:AssumeRole",
-            "Resource": "arn:aws:iam::*:role/*"
-        },
-        {
-          "Effect": "Allow",
-          "Action": "sts:AssumeRole",
-          "Resource": "arn:aws:iam::*:role/*"
+            "Principal": {"Service": "lambda.amazonaws.com"},
+            "Action": "sts:AssumeRole"
@@ -123 +111,5 @@ JSON
-### Step 1.4: Create a default user
+### Step 1.4: Configure IAM authentication
+
+###### Important
+
+This step is required. Your Lambda function authenticates to ElastiCache using IAM. For this to work, you must create an IAM-enabled ElastiCache user, add it to a user group, and associate that user group with your cache. Without this configuration, connection attempts from Lambda will fail.
@@ -125 +117 @@ JSON
-  1. Create a new default user.
+  1. Create a default user with access disabled. Every user group requires a default user. By disabling access on this user, you ensure that only explicitly configured IAM users can connect.
@@ -134 +126 @@ JSON
-  2. Create a new IAM-enabled user.
+  2. Create an IAM-enabled user. This is the user identity that your Lambda function will authenticate as.
@@ -143 +135 @@ JSON
-  3. Create a user group and attach the user.
+  3. Create a user group, add both users to it, and associate the group with your cache.