diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts
index 356be758b9a7c..2a7d151a23c8e 100644
--- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts
+++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts
@@ -260,6 +260,9 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    * If set to false, you must individually add traffic rules to allow the
    * Lambda to connect to network targets.
    *
+   * Do not specify this property if the `securityGroups` or `securityGroup` property is set.
+   * Instead, configure `allowAllOutbound` directly on the security group.
+   *
    * @default true
    */
   readonly allowAllOutbound?: boolean;