Merge branch 'main' of https://github.com/jpascoe/aws-lambda-developer-guide

Author: jpascoe

doc_source/API_CreateEventSourceMapping.md

@@ -84,6 +84,7 @@ The maximum number of records in each batch that Lambda pulls from your stream o
 +  **Amazon Simple Queue Service** \- Default 10\. For standard queues the max is 10,000\. For FIFO queues the max is 10\.
 +  **Amazon Managed Streaming for Apache Kafka** \- Default 100\. Max 10,000\.
 +  **Self\-Managed Apache Kafka** \- Default 100\. Max 10,000\.
++  **Amazon MQ \(ActiveMQ and RabbitMQ\)** \- Default 100\. Max 10,000\.
 Type: Integer  
 Valid Range: Minimum value of 1\. Maximum value of 10000\.  
 Required: No

doc_source/API_CreateFunction.md

@@ -86,7 +86,7 @@ The request does not use any URI parameters\.
 The request accepts the following data in JSON format\.
 
  ** [ Architectures ](#API_CreateFunction_RequestSyntax) **   <a name="SSS-CreateFunction-request-Architectures"></a>
-The instruction set architecture that the function supports\. Enter a string array with one of the valid values\. The default value is `x86_64`\.  
+The instruction set architecture that the function supports\. Enter a string array with one of the valid values \(arm64 or x86\_64\)\. The default value is `x86_64`\.  
 Type: Array of strings  
 Array Members: Fixed number of 1 item\.  
 Valid Values:` x86_64 | arm64`   

doc_source/API_Invoke.md

@@ -65,7 +65,8 @@ Pattern: `(|[a-zA-Z0-9$_-]+)`
 The request accepts the following binary data\.
 
  ** [ Payload ](#API_Invoke_RequestSyntax) **   <a name="SSS-Invoke-request-Payload"></a>
-The JSON that you want to provide to your Lambda function as input\.
+The JSON that you want to provide to your Lambda function as input\.  
+You can enter the JSON directly\. For example, `--payload '{ "key": "value" }'`\. You can also specify a file path\. For example, `--payload file://payload.json`\. 
 
 ## Response Syntax<a name="API_Invoke_ResponseSyntax"></a>
 

doc_source/API_SourceAccessConfiguration.md

@@ -12,7 +12,7 @@ The type of authentication protocol, VPC components, or virtual host for your ev
 +  `VPC_SECURITY_GROUP` \- The VPC security group used to manage access to your self\-managed Apache Kafka brokers\.
 +  `SASL_SCRAM_256_AUTH` \- The Secrets Manager ARN of your secret key used for SASL SCRAM\-256 authentication of your self\-managed Apache Kafka brokers\.
 +  `SASL_SCRAM_512_AUTH` \- The Secrets Manager ARN of your secret key used for SASL SCRAM\-512 authentication of your self\-managed Apache Kafka brokers\.
-+  `VIRTUAL_HOST` \- \(Amazon MQ\) The name of the virtual host in your RabbitMQ broker\. Lambda uses this RabbitMQ host as the event source\.
++  `VIRTUAL_HOST` \- \(Amazon MQ\) The name of the virtual host in your RabbitMQ broker\. Lambda uses this RabbitMQ host as the event source\. This property cannot be specified in an UpdateEventSourceMapping API call\.
 Type: String  
 Valid Values:` BASIC_AUTH | VPC_SUBNET | VPC_SECURITY_GROUP | SASL_SCRAM_512_AUTH | SASL_SCRAM_256_AUTH | VIRTUAL_HOST`   
 Required: No

doc_source/API_UpdateEventSourceMapping.md

@@ -78,6 +78,7 @@ The maximum number of records in each batch that Lambda pulls from your stream o
 +  **Amazon Simple Queue Service** \- Default 10\. For standard queues the max is 10,000\. For FIFO queues the max is 10\.
 +  **Amazon Managed Streaming for Apache Kafka** \- Default 100\. Max 10,000\.
 +  **Self\-Managed Apache Kafka** \- Default 100\. Max 10,000\.
++  **Amazon MQ \(ActiveMQ and RabbitMQ\)** \- Default 100\. Max 10,000\.
 Type: Integer  
 Valid Range: Minimum value of 1\. Maximum value of 10000\.  
 Required: No

doc_source/API_UpdateFunctionCode.md

@@ -47,7 +47,7 @@ Required: Yes
 The request accepts the following data in JSON format\.
 
  ** [ Architectures ](#API_UpdateFunctionCode_RequestSyntax) **   <a name="SSS-UpdateFunctionCode-request-Architectures"></a>
-The instruction set architecture that the function supports\. Enter a string array with one of the valid values\. The default value is `x86_64`\.  
+The instruction set architecture that the function supports\. Enter a string array with one of the valid values \(arm64 or x86\_64\)\. The default value is `x86_64`\.  
 Type: Array of strings  
 Array Members: Fixed number of 1 item\.  
 Valid Values:` x86_64 | arm64`   

doc_source/configuration-envvars.md

@@ -217,7 +217,7 @@ Lambda always provides server\-side encryption at rest with an AWS KMS key\. By
 
 If you prefer, you can provide an AWS KMS customer managed key instead\. You might do this to have control over rotation of the KMS key or to meet the requirements of your organization for managing KMS keys\. When you use a customer managed key, only users in your account with access to the KMS key can view or manage environment variables on the function\.
 
-Customer managed keys incur standard AWS KMS charges\. For more information, see [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/), in the *AWS KMS produt pages*\.
+Customer managed keys incur standard AWS KMS charges\. For more information, see [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/), in the *AWS KMS product pages*\.
 
 **Security in transit**  
 For additional security, you can enable helpers for encryption in transit, which ensures that your environment variables are encrypted client\-side for protection in transit\.

doc_source/configuration-filesystem.md

@@ -3,39 +3,27 @@
 You can configure a function to mount an Amazon Elastic File System \(Amazon EFS\) file system to a local directory\. With Amazon EFS, your function code can access and modify shared resources safely and at high concurrency\.
 
 **Topics**
-+ [Connecting to a file system \(console\)](#configuration-filesystem-config)
-+ [Configuring a file system and access point](#configuration-filesystem-setup)
 + [Execution role and user permissions](#configuration-filesystem-permissions)
++ [Configuring a file system and access point](#configuration-filesystem-setup)
++ [Connecting to a file system \(console\)](#configuration-filesystem-config)
 + [Configuring file system access with the Lambda API](#configuration-filesystem-api)
 + [AWS CloudFormation and AWS SAM](#configuration-filesystem-cloudformation)
 + [Sample applications](#configuration-filesystem-samples)
 
-## Connecting to a file system \(console\)<a name="configuration-filesystem-config"></a>
-
-A function connects to a file system over the local network in a VPC\. The subnets that your function connects to can be the same subnets that contain mount points for your file system, or subnets in the same Availability Zone that can route NFS traffic \(port 2049\) to the file system\.
-
-**Note**  
-If your function is not already connected to a VPC, see [Configuring a Lambda function to access resources in a VPC](configuration-vpc.md)\.
-
-**To configure file system access**
-
-1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) on the Lambda console\.
-
-1. Choose a function\.
+## Execution role and user permissions<a name="configuration-filesystem-permissions"></a>
 
-1. Choose **Configuration** and then choose **File systems**\.
+Lambda uses your function's permissions to mount file systems\. To connect to a file system, your function's execution role must have the following permissions in addition to the [permissions required to connect to the file system's VPC](configuration-vpc.md#vpc-permissions):
 
-1. Under **File system**, choose **Add file system**\.
+**Execution role permissions**
++ **elasticfilesystem:ClientMount**
++ **elasticfilesystem:ClientWrite \(not required for read\-only connections\)**
 
-1. Configure the following properties:
-   + **EFS file system** – The access point for a file system in the same VPC\.
-   + **Local mount path** – The location where the file system is mounted on the Lambda function, starting with `/mnt/`\.
+These permissions are included in the **AmazonElasticFileSystemClientReadWriteAccess** managed policy\.
 
-**Pricing**  
-Amazon EFS charges for storage and throughput, with rates that vary by storage class\. For details, see [Amazon EFS pricing](https://aws.amazon.com/efs/pricing)\.  
-Lambda charges for data transfer between VPCs\. This only applies if your function's VPC is peered to another VPC with a file system\. The rates are the same as for Amazon EC2 data transfer between VPCs in the same Region\. For details, see [Lambda pricing](https://aws.amazon.com/lambda/pricing)\.
+When you configure a file system, Lambda uses your permissions to verify mount targets\. To configure a function to connect to a file system, your IAM user needs the following permissions:
 
-For more information about Lambda's integration with Amazon EFS, see [Using Amazon EFS with Lambda](services-efs.md)\.
+**User permissions**
++ **elasticfilesystem:DescribeMountTargets**
 
 ## Configuring a file system and access point<a name="configuration-filesystem-setup"></a>
 
@@ -61,20 +49,32 @@ For more information, see the following topics in the *Amazon Elastic File Syste
 + [Creating resources for Amazon EFS](https://docs.aws.amazon.com/efs/latest/ug/creating-using.html)
 + [Working with users, groups, and permissions](https://docs.aws.amazon.com/efs/latest/ug/accessing-fs-nfs-permissions.html)
 
-## Execution role and user permissions<a name="configuration-filesystem-permissions"></a>
+## Connecting to a file system \(console\)<a name="configuration-filesystem-config"></a>
 
-Lambda uses your function's permissions to mount file systems\. To connect to a file system, your function's execution role must have the following permissions in addition to the [permissions required to connect to the file system's VPC](configuration-vpc.md#vpc-permissions):
+A function connects to a file system over the local network in a VPC\. The subnets that your function connects to can be the same subnets that contain mount points for your file system, or subnets in the same Availability Zone that can route NFS traffic \(port 2049\) to the file system\.
 
-**Execution role permissions**
-+ **elasticfilesystem:ClientMount**
-+ **elasticfilesystem:ClientWrite \(not required for read\-only connections\)**
+**Note**  
+If your function is not already connected to a VPC, see [Configuring a Lambda function to access resources in a VPC](configuration-vpc.md)\.
 
-These permissions are included in the **AmazonElasticFileSystemClientReadWriteAccess** managed policy\.
+**To configure file system access**
 
-When you configure a file system, Lambda uses your permissions to verify mount targets\. To configure a function to connect to a file system, your IAM user needs the following permissions:
+1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) on the Lambda console\.
 
-**User permissions**
-+ **elasticfilesystem:DescribeMountTargets**
+1. Choose a function\.
+
+1. Choose **Configuration** and then choose **File systems**\.
+
+1. Under **File system**, choose **Add file system**\.
+
+1. Configure the following properties:
+   + **EFS file system** – The access point for a file system in the same VPC\.
+   + **Local mount path** – The location where the file system is mounted on the Lambda function, starting with `/mnt/`\.
+
+**Pricing**  
+Amazon EFS charges for storage and throughput, with rates that vary by storage class\. For details, see [Amazon EFS pricing](https://aws.amazon.com/efs/pricing)\.  
+Lambda charges for data transfer between VPCs\. This only applies if your function's VPC is peered to another VPC with a file system\. The rates are the same as for Amazon EC2 data transfer between VPCs in the same Region\. For details, see [Lambda pricing](https://aws.amazon.com/lambda/pricing)\.
+
+For more information about Lambda's integration with Amazon EFS, see [Using Amazon EFS with Lambda](services-efs.md)\.
 
 ## Configuring file system access with the Lambda API<a name="configuration-filesystem-api"></a>
 
@@ -130,6 +130,7 @@ You can use AWS CloudFormation and the AWS Serverless Application Model \(AWS SA
 **Example template\.yml – File system configuration**  
 
 ```
+Transform: AWS::Serverless-2016-10-31
 Resources:
   VPC:
     Type: AWS::EC2::VPC
@@ -141,20 +142,33 @@ Resources:
       VpcId:
         Ref: VPC
       CidrBlock: 10.0.1.0/24
-      AvailabilityZone: "eu-central-1a"
+      AvailabilityZone: "us-west-2a"
   EfsSecurityGroup:
     Type: AWS::EC2::SecurityGroup
     Properties:
       VpcId:
         Ref: VPC
       GroupDescription: "mnt target sg"
-      SecurityGroupEgress:
+      SecurityGroupIngress:
       - IpProtocol: -1
         CidrIp: "0.0.0.0/0"
   FileSystem:
     Type: AWS::EFS::FileSystem
     Properties:
       PerformanceMode: generalPurpose
+  AccessPoint:
+    Type: AWS::EFS::AccessPoint
+    Properties:
+      FileSystemId:
+        Ref: FileSystem
+      PosixUser:
+        Uid: "1001"
+        Gid: "1001"
+      RootDirectory:
+        CreationInfo:
+          OwnerGid: "1001"
+          OwnerUid: "1001"
+          Permissions: "755"
   MountTarget1:
     Type: AWS::EFS::MountTarget
     Properties:
@@ -167,11 +181,17 @@ Resources:
   MyFunctionWithEfs:
     Type: [AWS::Serverless::Function](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
     Properties:
-      CodeUri: function/.
-      Description: Use a file system.
+      Handler: index.handler
+      Runtime: python3.9
+      VpcConfig:
+        SecurityGroupIds:
+        - Ref: EfsSecurityGroup
+        SubnetIds:
+        - Ref: Subnet1
       FileSystemConfigs:
-      - Arn: "arn:aws:elasticfilesystem:eu-central-1:123456789101:access-point/fsap-015cxmplb72b405fd"
-        LocalMountPath: "/mnt/efs0"
+      - Arn: !GetAtt AccessPoint.Arn
+        LocalMountPath: "/mnt/efs"
+      Description: Use a file system.
     DependsOn: "MountTarget1"
 ```
 

doc_source/configuration-images.md

@@ -37,7 +37,7 @@ When you deploy code as a container image to a Lambda function, the image underg
 
 ## Amazon ECR permissions<a name="configuration-images-permissions"></a>
 
-For your function to access the container image in Amazon ECR, you can add `ecr:BatchGetImage` and `ecr:GetDownloadUrlForLayer` permissions to your Amazon ECR repository\. The following example shows the minimum policy:
+For a function in the same account as the container image in Amazon ECR, you can add `ecr:BatchGetImage` and `ecr:GetDownloadUrlForLayer` permissions to your Amazon ECR repository\. The following example shows the minimum policy:
 
 ```
 {
@@ -59,6 +59,53 @@ If the Amazon ECR repository does not include these permissions, Lambda adds `ec
 
 To view or edit your Amazon ECR repository permissions, follow the directions in [Setting a repository policy statement](https://docs.aws.amazon.com/AmazonECR/latest/userguide/set-repository-policy.html) in the *Amazon Elastic Container Registry User Guide*\.
 
+### Amazon ECR cross\-account permissions<a name="configuration-images-xaccount-permissions"></a>
+
+A different account in the same region can create a function that uses a container image owned by your account\. In the following example, your Amazon ECR repository permissions policy needs the following statements to grant access to account number 123456789012\.
++ **CrossAccountPermission** – Allows account 123456789012 to create and update Lambda functions that use images from this ECR repository\.
++ **LambdaECRImageCrossAccountRetrievalPolicy** – Lambda will eventually set a function's state to inactive if it is not invoked for an extended period\. This statement is required so that Lambda can retrieve the container image for optimization and caching on behalf of the function owned by 123456789012\. 
+
+**Example Add cross\-account permission to your repository**  
+
+```
+{"Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "CrossAccountPermission",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer"
+      ],
+      "Principal": {
+        "AWS": "arn:aws:iam::123456789012:root"
+      } 
+    },
+    {
+      "Sid": "LambdaECRImageCrossAccountRetrievalPolicy",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer"
+      ],
+      "Principal": {
+          "Service": "lambda.amazonaws.com"
+      },
+      "Condition": {
+        "StringLike": {
+          "aws:sourceARN":
+            "arn:aws:lambda:us-east-1:123456789012:function:*"
+        } 
+      }
+    }
+  ]
+}
+```
+
+To give access to multiple accounts, you add the account IDs to the Principal list in the `CrossAccountPermission` policy and to the Condition evaluation list in the `LambdaECRImageCrossAccountRetrievalPolicy`\. 
+
+If you are working with multiple accounts in an AWS Organization, we recommend that you enumerate each account ID in the ECR permissions policy\. This approach aligns with the AWS security best practice of setting narrow permissions in IAM policies\.
+
 ## Override the container settings<a name="configuration-images-settings"></a>
 
 You can use the Lambda console or the Lambda API to override the following container image settings:
@@ -163,7 +210,7 @@ To create a function defined as container image, use the `create-function` comma
 
 When you create the function, you can specify the instruction set architecture\. The default architecture is `x86-64`\. Make sure that the code in your container image is compatible with the architecture\.
 
- Note that you must create the function from the same account as the container registry in Amazon ECR\.
+ You can create the function from the same account as the container registry or from a different account in the same region as the container registry in Amazon ECR\. For cross\-account access, adjust the [Amazon ECR permissions](#configuration-images-xaccount-permissions) for the image\.
 
 ```
 aws lambda create-function --region sa-east-1 --function-name my-function \