Skip to main content
Starting in October 2025, AWS requires new function URLs to use both lambda:InvokeFunctionUrl and lambda:InvokeFunction permissions. For details, see Controlling access to Lambda function URLs and Using Lambda function URLs. If you deployed the CloudFront Integration using CloudFormation before version v2.2.0, you may need to manually add the lambda:InvokeFunction permission to your Management Lambda function policy so it matches the AWS-documented permission model for Function URLs. This guide covers the steps required to do so.

Overview

  • If you deployed the integration starting from version v2.2.0 you already have the lambda:InvokeFunction permission, so no additional steps are required.
  • For integrations deployed before version v2.2.0:
    • Integrations deployed after October 2025 need to add the lambda:InvokeFunction permission to make the Management Lambda function work.
    • In integrations deployed before October 2025 the Management Lambda function will continue to work, but it’s recommended to update the permissions regardless to avoid any issues in the future.

Step 1: Find your Management Lambda function

  1. Navigate to the CloudFormation console, switch to the US East (N. Virginia) (us-east-1) region, and find the CloudFormation stack that was created by the Fingerprint CloudFront integration.
  2. Switch to the Resources tab, find the resource with the Logical ID of FingerprintProMgmtLambda and click the link in the corresponding Physical ID column.

Step 2: Update the Management Lambda function policy

  1. Select the Configuration tab and navigate to the Permissions section in the left sidebar.
  2. Scroll down to the Resource-based policy statements section and verify that there’s only one row with Action set to lambda:InvokeFunctionUrl.
    • If you see an additional row with lambda:InvokeFunction permission, it means that you already have the additional permission and no further steps are required.
  3. Click the Add permissions button.
  4. In the form:
    • Select Function URL below the Edit policy statement
    • In Auth type, select NONE
    • In Statement ID you can either leave the default value or enter a custom one
    • In Principal ensure that the value is set to *
    • In Action select lambda:InvokeFunction
    • Click Save
  5. Verify that the Resource-based policy statements section now contains two rows:
    • One with Action set to lambda:InvokeFunctionUrl
    • One with Action set to lambda:InvokeFunction
These changes keep the Management Lambda function publicly invokable, which is required for the automatic updates to work. The endpoint for updating your CloudFront Integration is protected by a token that you provided to Fingerprint in Step 6 of the CloudFormation deployment guide.