AWS connect documentation change
Summary
Added resource-based policy guidance and example for Lambda function permissions with security best practices
Security assessment
The change adds documentation about securing Lambda functions through resource-based policies with explicit source account/ARN conditions. While this enhances security documentation, it doesn't address a specific vulnerability but rather provides general security guidance.
Diff
diff --git a/connect/latest/adminguide/lambda-invoke-functions.md b/connect/latest/adminguide/lambda-invoke-functions.md index 745459cb5..a2bbfa24c 100644 --- a//connect/latest/adminguide/lambda-invoke-functions.md +++ b//connect/latest/adminguide/lambda-invoke-functions.md @@ -210,0 +211,30 @@ Your Lambda function must return a JSON response with the following structure: +###### Important + +The preceding console procedure automatically adds the required resource-based policy to the Lambda function. If you use the AWS CLI or SDK, you can call the [PutConnectInstanceIntegration](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-outbound-campaigns-v2_PutConnectInstanceIntegration.html) API with the `lambda` integration configuration. This API automatically adds the required resource-based policy to your Lambda function, just as the console does. + +If you need to add the resource-based policy manually (for example, for cross-account invocations), add a policy statement that grants the `connect-campaigns.amazonaws.com` service principal permission to invoke your function. You can optionally add a `Condition` element with `AWS:SourceAccount` and `AWS:SourceArn` to restrict access to your account and Connect Customer instance. We recommend including both conditions. The following example shows the required policy statement. + + + { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "connect-campaigns.amazonaws.com" + }, + "Action": "lambda:InvokeFunction", + "Resource": "arn:aws:lambda:region:account-id:function:function-name", + "Condition": { + "StringEquals": { + "AWS:SourceAccount": "account-id" + }, + "ArnLike": { + "AWS:SourceArn": "arn:aws:connect:region:account-id:instance/instance-id" + } + } + } + ] + } + +For more information about resource-based policies, see [Using resource-based policies for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html) in the _Lambda Developer Guide_. +