AWS cli documentation change
Summary
Added documentation about customer-managed key behavior during certificate transfers and updated CLI version
Security assessment
Clarifies encryption behavior during certificate transfers (use of IoT-owned keys vs. customer-managed keys), enhancing security documentation but not addressing a specific vulnerability.
Diff
diff --git a/cli/latest/reference/iot/transfer-certificate.md b/cli/latest/reference/iot/transfer-certificate.md index e6ccb47cb..de8fa3b5e 100644 --- a//cli/latest/reference/iot/transfer-certificate.md +++ b//cli/latest/reference/iot/transfer-certificate.md @@ -15 +15 @@ - * [AWS CLI 2.27.63 Command Reference](../../index.html) » + * [AWS CLI 2.28.0 Command Reference](../../index.html) » @@ -66 +66 @@ You can cancel the transfer until it is acknowledged by the recipient. -No notification is sent to the transfer destination’s account. It is up to the caller to notify the transfer target. +No notification is sent to the transfer destination’s account. It’s up to the caller to notify the transfer target. @@ -68 +68 @@ No notification is sent to the transfer destination’s account. It is up to the -The certificate being transferred must not be in the ACTIVE state. You can use the UpdateCertificate action to deactivate it. +The certificate being transferred must not be in the `ACTIVE` state. You can use the UpdateCertificate action to deactivate it. @@ -71,0 +72,11 @@ The certificate must not have any policies attached to it. You can use the Detac +> **Customer managed key behavior:** When you use a customer managed key to secure your data and then transfer the key to a customer in a different account using the TransferCertificate operation, the certificates will no longer be protected by their customer managed key configuration. During the transfer process, certificates are encrypted using IoT owned keys. + +While a certificate is in the **PENDING_TRANSFER** state, it’s always protected by IoT owned keys, regardless of the customer managed key configuration of either the source or destination account. + +Once the transfer is completed through AcceptCertificateTransfer , RejectCertificateTransfer , or CancelCertificateTransfer , the certificate will be protected by the customer managed key configuration of the account that owns the certificate after the transfer operation: + + * If the transfer is accepted: The certificate is protected by the destination account’s customer managed key configuration. + * If the transfer is rejected or cancelled: The certificate is protected by the source account’s customer managed key configuration. + + + @@ -258 +269 @@ transferredCertificateArn -> (string) - * [AWS CLI 2.27.63 Command Reference](../../index.html) » + * [AWS CLI 2.28.0 Command Reference](../../index.html) »