AWS Security ChangesHomeSearch

AWS lambda documentation change

Service: lambda · 2026-07-10 · Documentation low

File: lambda/latest/dg/encrypt-zip-package.md

Summary

Minor wording update and added documentation for 'DurableConfig.KMSKeyArn' parameter to encrypt durable execution data separately from function-level encryption.

Security assessment

New parameter documentation enables granular encryption control but shows no evidence of remediating a security flaw.

Diff

diff --git a/lambda/latest/dg/encrypt-zip-package.md b/lambda/latest/dg/encrypt-zip-package.md
index ccd65bf33..6d07ca833 100644
--- a//lambda/latest/dg/encrypt-zip-package.md
+++ b//lambda/latest/dg/encrypt-zip-package.md
@@ -11 +11 @@ Step 1: Create a customer managed keyStep 2: Use a customer managed key with Lam
-Lambda always provides server-side encryption at rest for .zip deployment packages and function configuration details with an AWS KMS key. By default, Lambda uses an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). If this default behavior suits your workflow, you don't need to set up anything else. AWS doesn't charge you to use this key.
+AWS Lambda always provides server-side encryption at rest for .zip deployment packages and function configuration details with an AWS KMS key. By default, Lambda uses an [AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). If this default behavior suits your workflow, you don't need to set up anything else. AWS doesn't charge you to use this key.
@@ -103,0 +104,2 @@ Use the following API parameters to configure customer managed keys for .zip dep
+  * [DurableConfig.KMSKeyArn](https://docs.aws.amazon.com/lambda/latest/api/API_DurableConfig.html): Encrypts [durable execution data](./durable-encryption.html). This key is independent of the function-level `KMSKeyArn`.
+