feat(client-lambda): Release FilterCriteria encryption for Lambda Eve…

…ntSourceMapping, enabling customers to encrypt their filter criteria using a customer-owned KMS key.
aws · Aug 21, 2024 · 6fff363 · 6fff363
1 parent 1baa7ea
commit 6fff363
Show file tree

Hide file tree

Showing 13 changed files with 184 additions and 21 deletions.
diff --git a/clients/client-lambda/src/commands/AddPermissionCommand.ts b/clients/client-lambda/src/commands/AddPermissionCommand.ts
@@ -28,15 +28,15 @@ export interface AddPermissionCommandInput extends AddPermissionRequest {}
 export interface AddPermissionCommandOutput extends AddPermissionResponse, __MetadataBearer {}
 
 /**
- * <p>Grants an Amazon Web Service, Amazon Web Services account, or Amazon Web Services organization
+ * <p>Grants an Amazon Web Servicesservice, Amazon Web Services account, or Amazon Web Services organization
  *       permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict
  *       access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name
  *       (ARN) of that version or alias to invoke the function. Note: Lambda does not support adding policies
  *       to version $LATEST.</p>
  *          <p>To grant permission to another account, specify the account ID as the <code>Principal</code>. To grant
  *       permission to an organization defined in Organizations, specify the organization ID as the
- *         <code>PrincipalOrgID</code>. For Amazon Web Services, the principal is a domain-style identifier that
- *       the service defines, such as <code>s3.amazonaws.com</code> or <code>sns.amazonaws.com</code>. For Amazon Web Services, you can also specify the ARN of the associated resource as the <code>SourceArn</code>. If
+ *         <code>PrincipalOrgID</code>. For Amazon Web Servicesservices, the principal is a domain-style identifier that
+ *       the service defines, such as <code>s3.amazonaws.com</code> or <code>sns.amazonaws.com</code>. For Amazon Web Servicesservices, you can also specify the ARN of the associated resource as the <code>SourceArn</code>. If
  *       you grant permission to a service principal without specifying the source, other accounts could potentially
  *       configure resources in their account to invoke your Lambda function.</p>
  *          <p>This operation adds a statement to a resource-based permissions policy for the function. For more information

diff --git a/clients/client-lambda/src/commands/CreateEventSourceMappingCommand.ts b/clients/client-lambda/src/commands/CreateEventSourceMappingCommand.ts
@@ -212,6 +212,7 @@ export interface CreateEventSourceMappingCommandOutput extends EventSourceMappin
  *     CollectionName: "STRING_VALUE",
  *     FullDocument: "UpdateLookup" || "Default",
  *   },
+ *   KMSKeyArn: "STRING_VALUE",
  * };
  * const command = new CreateEventSourceMappingCommand(input);
  * const response = await client.send(command);
@@ -283,6 +284,11 @@ export interface CreateEventSourceMappingCommandOutput extends EventSourceMappin
  * //     CollectionName: "STRING_VALUE",
  * //     FullDocument: "UpdateLookup" || "Default",
  * //   },
+ * //   KMSKeyArn: "STRING_VALUE",
+ * //   FilterCriteriaError: { // FilterCriteriaError
+ * //     ErrorCode: "STRING_VALUE",
+ * //     Message: "STRING_VALUE",
+ * //   },
  * // };
  *
  * ```

diff --git a/clients/client-lambda/src/commands/CreateFunctionCommand.ts b/clients/client-lambda/src/commands/CreateFunctionCommand.ts
@@ -35,7 +35,7 @@ export interface CreateFunctionCommandOutput extends FunctionConfiguration, __Me
 /**
  * <p>Creates a Lambda function. To create a function, you need a <a href="https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html">deployment package</a> and an <a href="https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html#lambda-intro-execution-role">execution role</a>. The
  *       deployment package is a .zip file archive or container image that contains your function code. The execution role
- *       grants the function permission to use Amazon Web Services, such as Amazon CloudWatch Logs for log
+ *       grants the function permission to use Amazon Web Servicesservices, such as Amazon CloudWatch Logs for log
  *       streaming and X-Ray for request tracing.</p>
  *          <p>If the deployment package is a <a href="https://docs.aws.amazon.com/lambda/latest/dg/lambda-images.html">container
  *         image</a>, then you set the package type to <code>Image</code>. For a container image, the code property
@@ -66,9 +66,9 @@ export interface CreateFunctionCommandOutput extends FunctionConfiguration, __Me
  *         <a>UpdateFunctionCode</a>, Lambda checks that the code package has a valid signature from
  *       a trusted publisher. The code-signing configuration includes set of signing profiles, which define the trusted
  *       publishers for this function.</p>
- *          <p>If another Amazon Web Services account or an Amazon Web Service invokes your function, use <a>AddPermission</a> to grant permission by creating a resource-based Identity and Access Management (IAM) policy. You can grant permissions at the function level, on a version, or on an alias.</p>
+ *          <p>If another Amazon Web Services account or an Amazon Web Servicesservice invokes your function, use <a>AddPermission</a> to grant permission by creating a resource-based Identity and Access Management (IAM) policy. You can grant permissions at the function level, on a version, or on an alias.</p>
  *          <p>To invoke your function directly, use <a>Invoke</a>. To invoke your function in response to events
- *       in other Amazon Web Services, create an event source mapping (<a>CreateEventSourceMapping</a>),
+ *       in other Amazon Web Servicesservices, create an event source mapping (<a>CreateEventSourceMapping</a>),
  *       or configure a function trigger in the other service. For more information, see <a href="https://docs.aws.amazon.com/lambda/latest/dg/lambda-invocation.html">Invoking Lambda
  *       functions</a>.</p>
  * @example

diff --git a/clients/client-lambda/src/commands/DeleteEventSourceMappingCommand.ts b/clients/client-lambda/src/commands/DeleteEventSourceMappingCommand.ts
@@ -111,6 +111,11 @@ export interface DeleteEventSourceMappingCommandOutput extends EventSourceMappin
  * //     CollectionName: "STRING_VALUE",
  * //     FullDocument: "UpdateLookup" || "Default",
  * //   },
+ * //   KMSKeyArn: "STRING_VALUE",
+ * //   FilterCriteriaError: { // FilterCriteriaError
+ * //     ErrorCode: "STRING_VALUE",
+ * //     Message: "STRING_VALUE",
+ * //   },
  * // };
  *
  * ```

diff --git a/clients/client-lambda/src/commands/DeleteFunctionCommand.ts b/clients/client-lambda/src/commands/DeleteFunctionCommand.ts
@@ -31,7 +31,7 @@ export interface DeleteFunctionCommandOutput extends __MetadataBearer {}
  * <p>Deletes a Lambda function. To delete a specific function version, use the <code>Qualifier</code> parameter.
  *       Otherwise, all versions and aliases are deleted. This doesn't require the user to have explicit
  *       permissions for <a>DeleteAlias</a>.</p>
- *          <p>To delete Lambda event source mappings that invoke a function, use <a>DeleteEventSourceMapping</a>. For Amazon Web Services and resources that invoke your function
+ *          <p>To delete Lambda event source mappings that invoke a function, use <a>DeleteEventSourceMapping</a>. For Amazon Web Servicesservices and resources that invoke your function
  *       directly, delete the trigger in the service where you originally configured it.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.

diff --git a/clients/client-lambda/src/commands/GetEventSourceMappingCommand.ts b/clients/client-lambda/src/commands/GetEventSourceMappingCommand.ts
@@ -109,6 +109,11 @@ export interface GetEventSourceMappingCommandOutput extends EventSourceMappingCo
  * //     CollectionName: "STRING_VALUE",
  * //     FullDocument: "UpdateLookup" || "Default",
  * //   },
+ * //   KMSKeyArn: "STRING_VALUE",
+ * //   FilterCriteriaError: { // FilterCriteriaError
+ * //     ErrorCode: "STRING_VALUE",
+ * //     Message: "STRING_VALUE",
+ * //   },
  * // };
  *
  * ```

diff --git a/clients/client-lambda/src/commands/ListEventSourceMappingsCommand.ts b/clients/client-lambda/src/commands/ListEventSourceMappingsCommand.ts
@@ -115,6 +115,11 @@ export interface ListEventSourceMappingsCommandOutput extends ListEventSourceMap
  * //         CollectionName: "STRING_VALUE",
  * //         FullDocument: "UpdateLookup" || "Default",
  * //       },
+ * //       KMSKeyArn: "STRING_VALUE",
+ * //       FilterCriteriaError: { // FilterCriteriaError
+ * //         ErrorCode: "STRING_VALUE",
+ * //         Message: "STRING_VALUE",
+ * //       },
  * //     },
  * //   ],
  * // };

diff --git a/clients/client-lambda/src/commands/RemovePermissionCommand.ts b/clients/client-lambda/src/commands/RemovePermissionCommand.ts
@@ -28,7 +28,7 @@ export interface RemovePermissionCommandInput extends RemovePermissionRequest {}
 export interface RemovePermissionCommandOutput extends __MetadataBearer {}
 
 /**
- * <p>Revokes function-use permission from an Amazon Web Service or another Amazon Web Services account. You
+ * <p>Revokes function-use permission from an Amazon Web Servicesservice or another Amazon Web Services account. You
  *       can get the ID of the statement from the output of <a>GetPolicy</a>.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.

diff --git a/clients/client-lambda/src/commands/UpdateEventSourceMappingCommand.ts b/clients/client-lambda/src/commands/UpdateEventSourceMappingCommand.ts
@@ -192,6 +192,7 @@ export interface UpdateEventSourceMappingCommandOutput extends EventSourceMappin
  *     CollectionName: "STRING_VALUE",
  *     FullDocument: "UpdateLookup" || "Default",
  *   },
+ *   KMSKeyArn: "STRING_VALUE",
  * };
  * const command = new UpdateEventSourceMappingCommand(input);
  * const response = await client.send(command);
@@ -263,6 +264,11 @@ export interface UpdateEventSourceMappingCommandOutput extends EventSourceMappin
  * //     CollectionName: "STRING_VALUE",
  * //     FullDocument: "UpdateLookup" || "Default",
  * //   },
+ * //   KMSKeyArn: "STRING_VALUE",
+ * //   FilterCriteriaError: { // FilterCriteriaError
+ * //     ErrorCode: "STRING_VALUE",
+ * //     Message: "STRING_VALUE",
+ * //   },
  * // };
  *
  * ```

diff --git a/clients/client-lambda/src/commands/UpdateFunctionConfigurationCommand.ts b/clients/client-lambda/src/commands/UpdateFunctionConfigurationCommand.ts
@@ -47,7 +47,7 @@ export interface UpdateFunctionConfigurationCommandOutput extends FunctionConfig
  *          <p>These settings can vary between versions of a function and are locked when you publish a version. You can't
  *       modify the configuration of a published version, only the unpublished version.</p>
  *          <p>To configure function concurrency, use <a>PutFunctionConcurrency</a>. To grant invoke permissions
- *       to an Amazon Web Services account or Amazon Web Service, use <a>AddPermission</a>.</p>
+ *       to an Amazon Web Services account or Amazon Web Servicesservice, use <a>AddPermission</a>.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

diff --git a/clients/client-lambda/src/models/models_0.ts b/clients/client-lambda/src/models/models_0.ts
@@ -397,23 +397,23 @@ export interface AddPermissionRequest {
   Action: string | undefined;
 
   /**
-   * <p>The Amazon Web Service or Amazon Web Services account that invokes the function. If you specify a
+   * <p>The Amazon Web Servicesservice or Amazon Web Services account that invokes the function. If you specify a
    *       service, use <code>SourceArn</code> or <code>SourceAccount</code> to limit who can invoke the function through
    *       that service.</p>
    * @public
    */
   Principal: string | undefined;
 
   /**
-   * <p>For Amazon Web Services, the ARN of the Amazon Web Services resource that invokes the function. For
+   * <p>For Amazon Web Servicesservices, the ARN of the Amazon Web Services resource that invokes the function. For
    *       example, an Amazon S3 bucket or Amazon SNS topic.</p>
    *          <p>Note that Lambda configures the comparison using the <code>StringLike</code> operator.</p>
    * @public
    */
   SourceArn?: string;
 
   /**
-   * <p>For Amazon Web Service, the ID of the Amazon Web Services account that owns the resource. Use this
+   * <p>For Amazon Web Servicesservice, the ID of the Amazon Web Services account that owns the resource. Use this
    *       together with <code>SourceArn</code> to ensure that the specified account owns the resource. It is possible for an
    *         Amazon S3 bucket to be deleted by its owner and recreated by another account.</p>
    * @public
@@ -1263,6 +1263,35 @@ export interface CreateEventSourceMappingRequest {
    * @public
    */
   DocumentDBEventSourceConfig?: DocumentDBEventSourceConfig;
+
+  /**
+   * <p>
+   *       The ARN of the Key Management Service (KMS) customer managed key that Lambda
+   *       uses to encrypt your function's <a href="https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html#filtering-basics">filter criteria</a>.
+   *       By default, Lambda does not encrypt your filter criteria object. Specify this
+   *       property to encrypt data using your own customer managed key.
+   *     </p>
+   * @public
+   */
+  KMSKeyArn?: string;
+}
+
+/**
+ * <p>An object that contains details about an error related to filter criteria encryption.</p>
+ * @public
+ */
+export interface FilterCriteriaError {
+  /**
+   * <p>The KMS exception that resulted from filter criteria encryption or decryption.</p>
+   * @public
+   */
+  ErrorCode?: string;
+
+  /**
+   * <p>The error message.</p>
+   * @public
+   */
+  Message?: string;
 }
 
 /**
@@ -1325,6 +1354,10 @@ export interface EventSourceMappingConfiguration {
   /**
    * <p>An object that defines the filter criteria that
    *     determine whether Lambda should process an event. For more information, see <a href="https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html">Lambda event filtering</a>.</p>
+   *          <p>If filter criteria is encrypted, this field shows up as <code>null</code> in the response
+   *       of ListEventSourceMapping API calls. You can view this field in plaintext in the response of
+   *       GetEventSourceMapping and DeleteEventSourceMapping calls if you have
+   *       <code>kms:Decrypt</code> permissions for the correct KMS key.</p>
    * @public
    */
   FilterCriteria?: FilterCriteria;
@@ -1449,6 +1482,20 @@ export interface EventSourceMappingConfiguration {
    * @public
    */
   DocumentDBEventSourceConfig?: DocumentDBEventSourceConfig;
+
+  /**
+   * <p>
+   *       The ARN of the Key Management Service (KMS) customer managed key that Lambda
+   *       uses to encrypt your function's <a href="https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html#filtering-basics">filter criteria</a>.</p>
+   * @public
+   */
+  KMSKeyArn?: string;
+
+  /**
+   * <p>An object that contains details about an error related to filter criteria encryption.</p>
+   * @public
+   */
+  FilterCriteriaError?: FilterCriteriaError;
 }
 
 /**
@@ -7014,6 +7061,17 @@ export interface UpdateEventSourceMappingRequest {
    * @public
    */
   DocumentDBEventSourceConfig?: DocumentDBEventSourceConfig;
+
+  /**
+   * <p>
+   *       The ARN of the Key Management Service (KMS) customer managed key that Lambda
+   *       uses to encrypt your function's <a href="https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html#filtering-basics">filter criteria</a>.
+   *       By default, Lambda does not encrypt your filter criteria object. Specify this
+   *       property to encrypt data using your own customer managed key.
+   *     </p>
+   * @public
+   */
+  KMSKeyArn?: string;
 }
 
 /**

diff --git a/clients/client-lambda/src/protocols/Aws_restJson1.ts b/clients/client-lambda/src/protocols/Aws_restJson1.ts
@@ -446,6 +446,7 @@ export const se_CreateEventSourceMappingCommand = async (
       FilterCriteria: (_) => _json(_),
       FunctionName: [],
       FunctionResponseTypes: (_) => _json(_),
+      KMSKeyArn: [],
       MaximumBatchingWindowInSeconds: [],
       MaximumRecordAgeInSeconds: [],
       MaximumRetryAttempts: [],
@@ -1689,6 +1690,7 @@ export const se_UpdateEventSourceMappingCommand = async (
       FilterCriteria: (_) => _json(_),
       FunctionName: [],
       FunctionResponseTypes: (_) => _json(_),
+      KMSKeyArn: [],
       MaximumBatchingWindowInSeconds: [],
       MaximumRecordAgeInSeconds: [],
       MaximumRetryAttempts: [],
@@ -1941,8 +1943,10 @@ export const de_CreateEventSourceMappingCommand = async (
     DocumentDBEventSourceConfig: _json,
     EventSourceArn: __expectString,
     FilterCriteria: _json,
+    FilterCriteriaError: _json,
     FunctionArn: __expectString,
     FunctionResponseTypes: _json,
+    KMSKeyArn: __expectString,
     LastModified: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     LastProcessingResult: __expectString,
     MaximumBatchingWindowInSeconds: __expectInt32,
@@ -2104,8 +2108,10 @@ export const de_DeleteEventSourceMappingCommand = async (
     DocumentDBEventSourceConfig: _json,
     EventSourceArn: __expectString,
     FilterCriteria: _json,
+    FilterCriteriaError: _json,
     FunctionArn: __expectString,
     FunctionResponseTypes: _json,
+    KMSKeyArn: __expectString,
     LastModified: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     LastProcessingResult: __expectString,
     MaximumBatchingWindowInSeconds: __expectInt32,
@@ -2339,8 +2345,10 @@ export const de_GetEventSourceMappingCommand = async (
     DocumentDBEventSourceConfig: _json,
     EventSourceArn: __expectString,
     FilterCriteria: _json,
+    FilterCriteriaError: _json,
     FunctionArn: __expectString,
     FunctionResponseTypes: _json,
+    KMSKeyArn: __expectString,
     LastModified: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     LastProcessingResult: __expectString,
     MaximumBatchingWindowInSeconds: __expectInt32,
@@ -3401,8 +3409,10 @@ export const de_UpdateEventSourceMappingCommand = async (
     DocumentDBEventSourceConfig: _json,
     EventSourceArn: __expectString,
     FilterCriteria: _json,
+    FilterCriteriaError: _json,
     FunctionArn: __expectString,
     FunctionResponseTypes: _json,
+    KMSKeyArn: __expectString,
     LastModified: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     LastProcessingResult: __expectString,
     MaximumBatchingWindowInSeconds: __expectInt32,
@@ -4797,8 +4807,10 @@ const de_EventSourceMappingConfiguration = (output: any, context: __SerdeContext
     DocumentDBEventSourceConfig: _json,
     EventSourceArn: __expectString,
     FilterCriteria: _json,
+    FilterCriteriaError: _json,
     FunctionArn: __expectString,
     FunctionResponseTypes: _json,
+    KMSKeyArn: __expectString,
     LastModified: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     LastProcessingResult: __expectString,
     MaximumBatchingWindowInSeconds: __expectInt32,
@@ -4840,6 +4852,8 @@ const de_EventSourceMappingsList = (output: any, context: __SerdeContext): Event
 
 // de_FilterCriteria omitted.
 
+// de_FilterCriteriaError omitted.
+
 // de_FilterList omitted.
 
 // de_FunctionArnList omitted.