AWS Security ChangesHomeSearch

AWS connect documentation change

Service: connect · 2026-06-19 · Documentation high

File: connect/latest/adminguide/lambda-invoke-functions.md

Summary

Added resource-based policy guidance and example for Lambda function permissions with security best practices

Security assessment

The change adds documentation about securing Lambda functions through resource-based policies with explicit source account/ARN conditions. While this enhances security documentation, it doesn't address a specific vulnerability but rather provides general security guidance.

Diff

diff --git a/connect/latest/adminguide/lambda-invoke-functions.md b/connect/latest/adminguide/lambda-invoke-functions.md
index 745459cb5..a2bbfa24c 100644
--- a//connect/latest/adminguide/lambda-invoke-functions.md
+++ b//connect/latest/adminguide/lambda-invoke-functions.md
@@ -210,0 +211,30 @@ Your Lambda function must return a JSON response with the following structure:
+###### Important
+
+The preceding console procedure automatically adds the required resource-based policy to the Lambda function. If you use the AWS CLI or SDK, you can call the [PutConnectInstanceIntegration](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-outbound-campaigns-v2_PutConnectInstanceIntegration.html) API with the `lambda` integration configuration. This API automatically adds the required resource-based policy to your Lambda function, just as the console does.
+
+If you need to add the resource-based policy manually (for example, for cross-account invocations), add a policy statement that grants the `connect-campaigns.amazonaws.com` service principal permission to invoke your function. You can optionally add a `Condition` element with `AWS:SourceAccount` and `AWS:SourceArn` to restrict access to your account and Connect Customer instance. We recommend including both conditions. The following example shows the required policy statement.
+    
+    
+    {
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "connect-campaigns.amazonaws.com"
+          },
+          "Action": "lambda:InvokeFunction",
+          "Resource": "arn:aws:lambda:region:account-id:function:function-name",
+          "Condition": {
+            "StringEquals": {
+              "AWS:SourceAccount": "account-id"
+            },
+            "ArnLike": {
+              "AWS:SourceArn": "arn:aws:connect:region:account-id:instance/instance-id"
+            }
+          }
+        }
+      ]
+    }
+
+For more information about resource-based policies, see [Using resource-based policies for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html) in the _Lambda Developer Guide_.
+