regular updates to Lambda GitHub doc repository

spaethp · spaethp · commit 729226c1ab7d · 2018-08-21T18:19:58.000Z
diff --git a/doc_source/admin-lambda-apps.md b/doc_source/admin-lambda-apps.md
@@ -4,6 +4,6 @@ AWS Lambda integrates with many of the administration tools that AWS offers, inc
 
 The sections below offer guidance on how to organize and track your Lambda function invocations and introduce you to the AWS Security Model for how to secure your Lambda\-based applications:
 + [Tagging Lambda Functions](tagging.md)
-+ [Logging AWS Lambda API Calls By Using AWS CloudTrail](logging-using-cloudtrail.md)
++ [Logging AWS Lambda API Calls with AWS CloudTrail](logging-using-cloudtrail.md)
 + [Authentication and Access Control for AWS Lambda](lambda-auth-and-access-control.md)
 + [Managing Concurrency](concurrent-executions.md)
diff --git a/doc_source/current-supported-versions.md b/doc_source/current-supported-versions.md
@@ -4,7 +4,7 @@ The underlying AWS Lambda execution environment is based on the following:
 + Public Amazon Linux AMI version \(AMI name: amzn\-ami\-hvm\-2017\.03\.1\.20170812\-x86\_64\-gp2\) which can be accessed [ here](https://console.aws.amazon.com/ec2/v2/home#Images:visibility=public-images;search=amzn-ami-hvm-2017.03.1.20170812-x86_64-gp2)\.  
 
   For information about using an AMI, see [Amazon Machine Images \(AMI\)](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) in the *Amazon EC2 User Guide for Linux Instances*\.
-+  Linux kernel version – 4\.9\.93\-41\.60\.amzn1\.x86\_64 
++  Linux kernel version – 4\.9\.119\-44\.140\.amzn1\.x86\_64 
 
  If you are using any native binaries in your code, make sure they are compiled against the package and library versions from this AMI and kernel\. Note that only 64\-bit binaries are supported on AWS Lambda and that the specific CPU make and model is subject to continual updates\.
 
diff --git a/doc_source/env_variables.md b/doc_source/env_variables.md
@@ -63,6 +63,9 @@ If you use your own key, you will be billed per [AWS Key Management Service Pric
 
 If you’re using the default KMS service key for Lambda, then no additional IAM permissions are required in your function execution role – your role will just work automatically without changes\. If you’re supplying your own \(custom\) KMS key, then you’ll need to add `kms:Decrypt` to your execution role\. In addition, the user that will be creating and updating the Lambda function must have permissions to use the KMS key\. For more information on KMS keys, see the [Using Key Policies in AWS KMS](http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)\.
 
+**Note**  
+AWS Lambda authorizes your function to use the default KMS key through a user grant, which it adds when the role is first selected\. If you re\-create a function's execution role \(that is, delete and create a role of the same name\) and the role does not have `kms:Decrypt` permissions, you will need to refresh the role's grant\. You can do so by toggling the function's execution role after the role has been re\-created in the console\. 
+
 ### Storing Sensitive Information<a name="env-storing-sensitive-data"></a>
 
 As mentioned in the previous section, when you deploy your Lambda function, all the environment variables you've specified are encrypted by default after, but not during, the deployment process\. They are then decrypted automatically by AWS Lambda when the function is invoked\. If you need to store sensitive information in an environment variable, we strongly suggest you encrypt that information before deploying your Lambda function\.
diff --git a/doc_source/index.md b/doc_source/index.md
@@ -218,7 +218,7 @@ Amazon's trademarks and trade dress may not be used in
       + [The AWS X-Ray Daemon in the Lambda Environment](lambda-x-ray-daemon.md)
 + [Administering Lambda-based Applications](admin-lambda-apps.md)
    + [Tagging Lambda Functions](tagging.md)
-   + [Logging AWS Lambda API Calls By Using AWS CloudTrail](logging-using-cloudtrail.md)
+   + [Logging AWS Lambda API Calls with AWS CloudTrail](logging-using-cloudtrail.md)
    + [Authentication and Access Control for AWS Lambda](lambda-auth-and-access-control.md)
       + [Overview of Managing Access Permissions to Your AWS Lambda Resources](access-control-overview.md)
       + [Using Identity-Based Policies (IAM Policies) for AWS Lambda](access-control-identity-based.md)
diff --git a/doc_source/logging-using-cloudtrail.md b/doc_source/logging-using-cloudtrail.md
@@ -1,12 +1,20 @@
-# Logging AWS Lambda API Calls By Using AWS CloudTrail<a name="logging-using-cloudtrail"></a>
+# Logging AWS Lambda API Calls with AWS CloudTrail<a name="logging-using-cloudtrail"></a>
 
-AWS Lambda is integrated with AWS CloudTrail, a service that captures API calls made by or on behalf of AWS Lambda in your AWS account and delivers the log files to an Amazon S3 bucket that you specify\. CloudTrail captures API calls made from the AWS Lambda console or from the AWS Lambda API\. Using the information collected by CloudTrail, you can determine what request was made to AWS Lambda, the source IP address from which the request was made, who made the request, when it was made, and so on\. To learn more about CloudTrail, including how to configure and enable it, see the [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/)\.
+AWS Lambda is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Lambda\. CloudTrail captures API calls for AWS Lambda as events\. The calls captured include calls from the AWS Lambda console and code calls to the AWS Lambda API operations\. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Lambda\. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**\. Using the information collected by CloudTrail, you can determine the request that was made to AWS Lambda, the IP address from which the request was made, who made the request, when it was made, and additional details\. 
+
+To learn more about CloudTrail, including how to configure and enable it, see the [AWS CloudTrail User Guide](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/)\.
 
 ## AWS Lambda Information in CloudTrail<a name="service-name-info-in-cloudtrail"></a>
 
-When CloudTrail logging is enabled in your AWS account, API calls made to AWS Lambda actions are tracked in log files\. AWS Lambda records are written together with other AWS service records in a log file\. CloudTrail determines when to create and write to a new file based on a time period and file size\.
+CloudTrail is enabled on your AWS account when you create the account\. When supported event activity occurs in AWS Lambda, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**\. You can view, search, and download recent events in your AWS account\. For more information, see [Viewing Events with CloudTrail Event History](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)\. 
+
+For an ongoing record of events in your AWS account, including events for AWS Lambda, create a trail\. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket\. By default, when you create a trail in the console, the trail applies to all AWS Regions\. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify\. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs\. For more information, see the following: 
++ [Overview for Creating a Trail](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
++ [CloudTrail Supported Services and Integrations](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
++ [Configuring Amazon SNS Notifications for CloudTrail](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
++ [Receiving CloudTrail Log Files from Multiple Regions](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail Log Files from Multiple Accounts](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
 
-The following actions are supported:
+AWS Lambda supports logging the following actions as events in CloudTrail log files:
 + [AddPermission](API_AddPermission.md)
 + [CreateEventSourceMapping](API_CreateEventSourceMapping.md)
 + [CreateFunction](API_CreateFunction.md)
@@ -103,4 +111,4 @@ The `eventName` may include date and version information, such as `"GetFunction2
 
 ## Using CloudTrail to Track Function Invocations<a name="tracking-function-invocations"></a>
 
-CloudTrail also logs data events\. You can turn on data event logging so that you log an event every time Lambda functions are invoked\. This helps you understand what identities are invoking the functions and the frequency of their invocations\. This feature is not enabled by default and incurs additional charges if enabled\. You can do this using the AWS CloudTrail console or [Invoke](API_Invoke.md) CLI operation\. For more information on this option, see [ Logging Data and Management Events for Trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html)\.
+CloudTrail also logs data events\. You can turn on data event logging so that you log an event every time Lambda functions are invoked\. This helps you understand what identities are invoking the functions and the frequency of their invocations\. You can do this using the AWS CloudTrail console or [Invoke](API_Invoke.md) CLI operation\. For more information on this option, see [ Logging Data and Management Events for Trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html)\.
diff --git a/doc_source/with-cloudtrail-example.md b/doc_source/with-cloudtrail-example.md
@@ -1,6 +1,6 @@
 # Tutorial: Using AWS Lambda with AWS CloudTrail<a name="with-cloudtrail-example"></a>
 
-Suppose you have turned on AWS CloudTrail for your AWS account to maintain records \(logs\) of AWS API calls made on your account and you want to be notified anytime an API call is made to create an SNS topic\. As API calls are made in your account, CloudTrail writes logs to an Amazon S3 bucket that you configured\. In this scenario, you want Amazon S3 to publish the object\-created events to AWS Lambda and invoke your Lambda function as CloudTrail creates log objects\. 
+In this scenario, AWS CloudTrail will maintain records \(logs\) of AWS API calls made on your account and notify you anytime an API call is made to create an SNS topic\. As API calls are made in your account, CloudTrail writes logs to an Amazon S3 bucket that you configured\. In this scenario, you want Amazon S3 to publish the object\-created events to AWS Lambda and invoke your Lambda function as CloudTrail creates log objects\. 
 
 When Amazon S3 invokes your Lambda function, it passes an S3 event identifying, among other things, the bucket name and key name of the object that CloudTrail created\. Your Lambda function can read the log object, and it knows the API calls that were reported in the log\.
 
diff --git a/doc_source/with-cloudtrail.md b/doc_source/with-cloudtrail.md
@@ -1,10 +1,10 @@
 # Using AWS Lambda with AWS CloudTrail<a name="with-cloudtrail"></a>
 
-You can enable CloudTrail in your AWS account to get logs of API calls and related events history in your account\. CloudTrail records all of the API access events as objects in your Amazon S3 bucket that you specify at the time you enable CloudTrail\. 
+AWS CloudTrail is a service that provides a record of actions taken by a user, role, or an AWS service\. CloudTrail captures API calls as events\. For an ongoing record of events in your AWS account, you create a trail\. A trail enables CloudTrail to deliver log files of events to an Amazon S3 bucket\.
 
 You can take advantage of Amazon S3's bucket notification feature and direct Amazon S3 to publish object\-created events to AWS Lambda\. Whenever CloudTrail writes logs to your S3 bucket, Amazon S3 can then invoke your Lambda function by passing the Amazon S3 object\-created event as a parameter\. The S3 event provides information, including the bucket name and key name of the log object that CloudTrail created\. Your Lambda function code can read the log object and process the access records logged by CloudTrail\. For example, you might write Lambda function code to notify you if specific API call was made in your account\. 
 
-In this scenario, you enable CloudTrail so it can write access logs to your S3 bucket\. As for AWS Lambda, Amazon S3 is the event source so Amazon S3 publishes events to AWS Lambda and invokes your Lambda function\. 
+In this scenario, CloudTrail writes access logs to your S3 bucket\. As for AWS Lambda, Amazon S3 is the event source so Amazon S3 publishes events to AWS Lambda and invokes your Lambda function\. 
 
 **Note**  
 Amazon S3 can only support one event destination\.
