AWS cli medium security documentation change
Summary
Updated KMS key specification details, corrected required roles for KMS permissions (now only requiring the request role), added OutputLocation requirement, and updated CLI version references
Security assessment
The change clarifies that only the request role (not DataAccessRoleArn) needs KMS permissions, preventing potential privilege escalation from outdated documentation. The enhanced KMS key specification details improve encryption documentation as a security feature.
Diff
diff --git a/cli/latest/reference/transcribe/start-medical-transcription-job.md b/cli/latest/reference/transcribe/start-medical-transcription-job.md index 4df8cec22..0e7c65070 100644 --- a//cli/latest/reference/transcribe/start-medical-transcription-job.md +++ b//cli/latest/reference/transcribe/start-medical-transcription-job.md @@ -15 +15 @@ - * [AWS CLI 2.28.6 Command Reference](../../index.html) » + * [AWS CLI 2.28.8 Command Reference](../../index.html) » @@ -339 +339 @@ JSON Syntax: -> The Amazon Resource Name (ARN) of a KMS key that you want to use to encrypt your medical transcription output. +> The KMS key you want to use to encrypt your medical transcription output. @@ -341 +341,15 @@ JSON Syntax: -> KMS key ARNs have the format `arn:partition:kms:region:account:key/key-id` . For example: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` . For more information, see [KMS key ARNs](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) . +> If using a key located in the **current** Amazon Web Services account, you can specify your KMS key in one of four ways: +> +> * Use the KMS key ID itself. For example, `1234abcd-12ab-34cd-56ef-1234567890ab` . +> * Use an alias for the KMS key ID. For example, `alias/ExampleAlias` . +> * Use the Amazon Resource Name (ARN) for the KMS key ID. For example, `arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab` . +> * Use the ARN for the KMS key alias. For example, `arn:aws:kms:region:account-ID:alias/ExampleAlias` . +> + +> +> If using a key located in a **different** Amazon Web Services account than the current Amazon Web Services account, you can specify your KMS key in one of two ways: +> +> * Use the ARN for the KMS key ID. For example, `arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab` . +> * Use the ARN for the KMS key alias. For example, `arn:aws:kms:region:account-ID:alias/ExampleAlias` . +> + @@ -345 +359,3 @@ JSON Syntax: -> Note that the role making the request and the role specified in the `DataAccessRoleArn` request parameter (if present) must have permission to use the specified KMS key. +> If you specify a KMS key to encrypt your output, you must also specify an output location using the `OutputLocation` parameter. +> +> Note that the role making the request must have permission to use the specified KMS key. @@ -1173 +1189 @@ MedicalTranscriptionJob -> (structure) - * [AWS CLI 2.28.6 Command Reference](../../index.html) » + * [AWS CLI 2.28.8 Command Reference](../../index.html) »