AWS lambda documentation change
Summary
Minor wording update and added documentation for 'DurableConfig.KMSKeyArn' parameter to encrypt durable execution data separately from function-level encryption.
Security assessment
New parameter documentation enables granular encryption control but shows no evidence of remediating a security flaw.
Diff
diff --git a/lambda/latest/dg/encrypt-zip-package.md b/lambda/latest/dg/encrypt-zip-package.md index ccd65bf33..6d07ca833 100644 --- a//lambda/latest/dg/encrypt-zip-package.md +++ b//lambda/latest/dg/encrypt-zip-package.md @@ -11 +11 @@ Step 1: Create a customer managed keyStep 2: Use a customer managed key with Lam -Lambda always provides server-side encryption at rest for .zip deployment packages and function configuration details with an AWS KMS key. By default, Lambda uses an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). If this default behavior suits your workflow, you don't need to set up anything else. AWS doesn't charge you to use this key. +AWS Lambda always provides server-side encryption at rest for .zip deployment packages and function configuration details with an AWS KMS key. By default, Lambda uses an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). If this default behavior suits your workflow, you don't need to set up anything else. AWS doesn't charge you to use this key. @@ -103,0 +104,2 @@ Use the following API parameters to configure customer managed keys for .zip dep + * [DurableConfig.KMSKeyArn](https://docs.aws.amazon.com/lambda/latest/api/API_DurableConfig.html): Encrypts [durable execution data](./durable-encryption.html). This key is independent of the function-level `KMSKeyArn`. +