AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-08-01 · Documentation low

File: cli/latest/reference/iot/transfer-certificate.md

Summary

Added documentation about customer-managed key behavior during certificate transfers and updated CLI version

Security assessment

Clarifies encryption behavior during certificate transfers (use of IoT-owned keys vs. customer-managed keys), enhancing security documentation but not addressing a specific vulnerability.

Diff

diff --git a/cli/latest/reference/iot/transfer-certificate.md b/cli/latest/reference/iot/transfer-certificate.md
index e6ccb47cb..de8fa3b5e 100644
--- a//cli/latest/reference/iot/transfer-certificate.md
+++ b//cli/latest/reference/iot/transfer-certificate.md
@@ -15 +15 @@
-  * [AWS CLI 2.27.63 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.0 Command Reference](../../index.html) »
@@ -66 +66 @@ You can cancel the transfer until it is acknowledged by the recipient.
-No notification is sent to the transfer destination’s account. It is up to the caller to notify the transfer target.
+No notification is sent to the transfer destination’s account. It’s up to the caller to notify the transfer target.
@@ -68 +68 @@ No notification is sent to the transfer destination’s account. It is up to the
-The certificate being transferred must not be in the ACTIVE state. You can use the UpdateCertificate action to deactivate it.
+The certificate being transferred must not be in the `ACTIVE` state. You can use the UpdateCertificate action to deactivate it.
@@ -71,0 +72,11 @@ The certificate must not have any policies attached to it. You can use the Detac
+> **Customer managed key behavior:** When you use a customer managed key to secure your data and then transfer the key to a customer in a different account using the TransferCertificate operation, the certificates will no longer be protected by their customer managed key configuration. During the transfer process, certificates are encrypted using IoT owned keys.
+
+While a certificate is in the **PENDING_TRANSFER** state, it’s always protected by IoT owned keys, regardless of the customer managed key configuration of either the source or destination account.
+
+Once the transfer is completed through AcceptCertificateTransfer , RejectCertificateTransfer , or CancelCertificateTransfer , the certificate will be protected by the customer managed key configuration of the account that owns the certificate after the transfer operation:
+
+  * If the transfer is accepted: The certificate is protected by the destination account’s customer managed key configuration.
+  * If the transfer is rejected or cancelled: The certificate is protected by the source account’s customer managed key configuration.
+
+
+
@@ -258 +269 @@ transferredCertificateArn -> (string)
-  * [AWS CLI 2.27.63 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.0 Command Reference](../../index.html) »