AWS Security ChangesHomeSearch

AWS lambda documentation change

Service: lambda · 2026-07-01 · Documentation low

File: lambda/latest/dg/encrypt-zip-package.md

Summary

Added clarification about encryption handling for self-managed S3 code storage, specifying Lambda's encryption behavior.

Security assessment

Enhances documentation about encryption practices for S3-based deployments, improving understanding of security controls but not fixing vulnerabilities.

Diff

diff --git a/lambda/latest/dg/encrypt-zip-package.md b/lambda/latest/dg/encrypt-zip-package.md
index 8a7c7e044..ccd65bf33 100644
--- a//lambda/latest/dg/encrypt-zip-package.md
+++ b//lambda/latest/dg/encrypt-zip-package.md
@@ -108,0 +109,4 @@ When `SourceKMSKeyArn` and `KMSKeyArn` are both specified, Lambda uses the `KMSK
+###### Note
+
+For functions and layers that use [self-managed S3 code storage](./configuration-self-managed-storage.html), Lambda does not store a copy of your source code. Your code remains in your S3 bucket, and encryption at rest for your source code is managed by your S3 bucket configuration. Lambda will use `KMSKeyArn` to encrypt the unzipped version of the package that Lambda uses to invoke the function. For more information, see [Protecting data with server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) in the _Amazon Simple Storage Service User Guide_.
+