AWS cli medium security documentation change
Summary
Added documentation for VolumeKmsKeyId and RootVolume fields in EBS volume configuration, clarifying encryption options for root/secondary volumes using KMS keys
Security assessment
The change introduces documentation about using customer-managed KMS keys for EBS volume encryption, which is a security control. It explicitly states requirements for encrypting root volumes with customer-managed keys instead of AWS-owned keys, directly impacting data-at-rest security. While not addressing a specific vulnerability, it documents security configuration options.
Diff
diff --git a/cli/latest/reference/sagemaker/describe-cluster.md b/cli/latest/reference/sagemaker/describe-cluster.md index 38a36436a..a255b8ba5 100644 --- a//cli/latest/reference/sagemaker/describe-cluster.md +++ b//cli/latest/reference/sagemaker/describe-cluster.md @@ -15 +15 @@ - * [AWS CLI 2.28.11 Command Reference](../../index.html) » + * [AWS CLI 2.28.12 Command Reference](../../index.html) » @@ -281,0 +282,22 @@ InstanceGroups -> (list) +>>>>> +>>>>> VolumeKmsKeyId -> (string) +>>>>> +>>>>>> The ID of a KMS key to encrypt the Amazon EBS volume. +>>>>> +>>>>> RootVolume -> (boolean) +>>>>> +>>>>>> Specifies whether the configuration is for the cluster’s root or secondary Amazon EBS volume. You can specify two `ClusterEbsVolumeConfig` fields to configure both the root and secondary volumes. Set the value to `True` if you’d like to provide your own customer managed Amazon Web Services KMS key to encrypt the root volume. When `True` : +>>>>>> +>>>>>> * The configuration is applied to the root volume. +>>>>>> * You can’t specify the `VolumeSizeInGB` field. The size of the root volume is determined for you. +>>>>>> * You must specify a KMS key ID for `VolumeKmsKeyId` to encrypt the root volume with your own KMS key instead of an Amazon Web Services owned KMS key. +>>>>>> + +>>>>>> +>>>>>> Otherwise, by default, the value is `False` , and the following applies: +>>>>>> +>>>>>> * The configuration is applied to the secondary volume, while the root volume is encrypted with an Amazon Web Services owned key. +>>>>>> * You must specify the `VolumeSizeInGB` field. +>>>>>> * You can optionally specify the `VolumeKmsKeyId` to encrypt the secondary volume with your own KMS key instead of an Amazon Web Services owned KMS key. +>>>>>> + @@ -442,0 +465,22 @@ RestrictedInstanceGroups -> (list) +>>>>> +>>>>> VolumeKmsKeyId -> (string) +>>>>> +>>>>>> The ID of a KMS key to encrypt the Amazon EBS volume. +>>>>> +>>>>> RootVolume -> (boolean) +>>>>> +>>>>>> Specifies whether the configuration is for the cluster’s root or secondary Amazon EBS volume. You can specify two `ClusterEbsVolumeConfig` fields to configure both the root and secondary volumes. Set the value to `True` if you’d like to provide your own customer managed Amazon Web Services KMS key to encrypt the root volume. When `True` : +>>>>>> +>>>>>> * The configuration is applied to the root volume. +>>>>>> * You can’t specify the `VolumeSizeInGB` field. The size of the root volume is determined for you. +>>>>>> * You must specify a KMS key ID for `VolumeKmsKeyId` to encrypt the root volume with your own KMS key instead of an Amazon Web Services owned KMS key. +>>>>>> + +>>>>>> +>>>>>> Otherwise, by default, the value is `False` , and the following applies: +>>>>>> +>>>>>> * The configuration is applied to the secondary volume, while the root volume is encrypted with an Amazon Web Services owned key. +>>>>>> * You must specify the `VolumeSizeInGB` field. +>>>>>> * You can optionally specify the `VolumeKmsKeyId` to encrypt the secondary volume with your own KMS key instead of an Amazon Web Services owned KMS key. +>>>>>> + @@ -609 +653 @@ NodeProvisioningMode -> (string) - * [AWS CLI 2.28.11 Command Reference](../../index.html) » + * [AWS CLI 2.28.12 Command Reference](../../index.html) »