AWS lambda documentation change
Summary
Added clarification about encryption handling for self-managed S3 code storage, specifying Lambda's encryption behavior.
Security assessment
Enhances documentation about encryption practices for S3-based deployments, improving understanding of security controls but not fixing vulnerabilities.
Diff
diff --git a/lambda/latest/dg/encrypt-zip-package.md b/lambda/latest/dg/encrypt-zip-package.md index 8a7c7e044..ccd65bf33 100644 --- a//lambda/latest/dg/encrypt-zip-package.md +++ b//lambda/latest/dg/encrypt-zip-package.md @@ -108,0 +109,4 @@ When `SourceKMSKeyArn` and `KMSKeyArn` are both specified, Lambda uses the `KMSK +###### Note + +For functions and layers that use [self-managed S3 code storage](./configuration-self-managed-storage.html), Lambda does not store a copy of your source code. Your code remains in your S3 bucket, and encryption at rest for your source code is managed by your S3 bucket configuration. Lambda will use `KMSKeyArn` to encrypt the unzipped version of the package that Lambda uses to invoke the function. For more information, see [Protecting data with server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) in the _Amazon Simple Storage Service User Guide_. +