> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fingerprint.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Updating CloudFront Integration Management Lambda Permissions

Starting in October 2025, AWS requires new function URLs to use both `lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions. For details, see [Controlling access to Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html) and [Using Lambda function URLs](https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html).

If you deployed the CloudFront Integration using [CloudFormation](/docs/install-cloudfront-integration-using-cloudformation) before version [v2.2.0](https://github.com/fingerprintjs/aws-cloudfront-proxy/releases/tag/%40fingerprint%2Faws-cloudfront-proxy%402.2.0), you may need to manually add the `lambda:InvokeFunction` permission to your Management Lambda function policy so it matches the AWS-documented permission model for Function URLs.
This guide covers the steps required to do so.

## Overview

* If you deployed the integration starting from version [v2.2.0](https://github.com/fingerprintjs/aws-cloudfront-proxy/releases/tag/%40fingerprint%2Faws-cloudfront-proxy%402.2.0) you already have the `lambda:InvokeFunction` permission, so no additional steps are required.
* For integrations deployed **before** version [v2.2.0](https://github.com/fingerprintjs/aws-cloudfront-proxy/releases/tag/%40fingerprint%2Faws-cloudfront-proxy%402.2.0):
  * Integrations deployed **after** October 2025 need to add the `lambda:InvokeFunction` permission to make the Management Lambda function work.
  * In integrations deployed **before** October 2025 the Management Lambda function will continue to work, but it's recommended to update the permissions regardless to avoid any issues in the future.

## Step 1: Find your Management Lambda function

1. Navigate to the [CloudFormation console](https://console.aws.amazon.com/cloudformation), switch to the **US East (N. Virginia)** (`us-east-1`) region, and find the CloudFormation stack that was created by the Fingerprint CloudFront integration.
2. Switch to the **Resources** tab, find the resource with the **Logical ID** of `FingerprintProMgmtLambda` and click the link in the corresponding **Physical ID** column.

## Step 2: Update the Management Lambda function policy

1. Select the **Configuration** tab and navigate to the **Permissions** section in the left sidebar.
2. Scroll down to the **Resource-based policy statements** section and verify that there's only one row with **Action** set to `lambda:InvokeFunctionUrl`.
   * If you see an additional row with `lambda:InvokeFunction` permission, it means that you already have the additional permission and no further steps are required.
3. Click the **Add permissions** button.
4. In the form:
   * Select **Function URL** below the **Edit policy statement**
   * In **Auth type**, select `NONE`
   * In **Statement ID** you can either leave the default value or enter a custom one
   * In **Principal** ensure that the value is set to `*`
   * In **Action** select `lambda:InvokeFunction`
   * Click **Save**
5. Verify that the **Resource-based policy statements** section now contains two rows:
   * One with **Action** set to `lambda:InvokeFunctionUrl`
   * One with **Action** set to `lambda:InvokeFunction`

These changes keep the Management Lambda function publicly invokable, which is required for the automatic updates to work.
The endpoint for updating your CloudFront Integration is protected by a **token** that you provided to Fingerprint in [Step 6](/docs/install-cloudfront-integration-using-cloudformation#step-6-enable-automatic-updates-in-the-fingerprint-dashboard) of the CloudFormation deployment guide.
