AWS cli documentation change
Summary
Updated encryption behavior documentation for snapshot copies, added link to encryption considerations, and clarified Outpost encryption requirements
Security assessment
The changes clarify encryption behavior when copying snapshots, including dependencies on EBS encryption defaults and explicit enforcement of encryption for Outposts. While this improves security documentation, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/cli/latest/reference/ec2/copy-snapshot.md b/cli/latest/reference/ec2/copy-snapshot.md index 764495de3..31acccf7e 100644 --- a//cli/latest/reference/ec2/copy-snapshot.md +++ b//cli/latest/reference/ec2/copy-snapshot.md @@ -15 +15 @@ - * [AWS CLI 2.30.2 Command Reference](../../index.html) » + * [AWS CLI 2.30.5 Command Reference](../../index.html) » @@ -70 +70 @@ The location of the source snapshot determines whether you can copy it or not, a -When copying snapshots to a Region, copies of encrypted EBS snapshots remain encrypted. Copies of unencrypted snapshots remain unencrypted, unless you enable encryption for the snapshot copy operation. By default, encrypted snapshot copies use the default KMS key; however, you can specify a different KMS key. To copy an encrypted snapshot that has been shared from another account, you must have permissions for the KMS key used to encrypt the snapshot. +When copying snapshots to a Region, the encryption outcome for the snapshot copy depends on the Amazon EBS encryption by default setting for the destination Region, the encryption status of the source snapshot, and the encryption parameters you specify in the request. For more information, see [Encryption and snapshot copying](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-copy-snapshot.html#creating-encrypted-snapshots) . @@ -72 +72 @@ When copying snapshots to a Region, copies of encrypted EBS snapshots remain enc -Snapshots copied to an Outpost are encrypted by default using the default encryption key for the Region, or a different key that you specify in the request using **KmsKeyId** . Outposts do not support unencrypted snapshots. For more information, see [Amazon EBS local snapshots on Outposts](https://docs.aws.amazon.com/ebs/latest/userguide/snapshots-outposts.html#ami) in the _Amazon EBS User Guide_ . +Snapshots copied to an Outpost must be encrypted. Unencrypted snapshots are not supported on Outposts. For more information, [Amazon EBS local snapshots on Outposts](https://docs.aws.amazon.com/ebs/latest/userguide/snapshots-outposts.html#considerations) . @@ -144 +144 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/ec2-20 -> To encrypt a copy of an unencrypted snapshot if encryption by default is not enabled, enable encryption using this parameter. Otherwise, omit this parameter. Encrypted snapshots are encrypted, even if you omit this parameter and encryption by default is not enabled. You cannot set this parameter to false. For more information, see [Amazon EBS encryption](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html) in the _Amazon EBS User Guide_ . +> To encrypt a copy of an unencrypted snapshot if encryption by default is not enabled, enable encryption using this parameter. Otherwise, omit this parameter. Copies of encrypted snapshots are encrypted, even if you omit this parameter and encryption by default is not enabled. You cannot set this parameter to false. For more information, see [Amazon EBS encryption](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html) in the _Amazon EBS User Guide_ . @@ -440 +440 @@ SnapshotId -> (string) - * [AWS CLI 2.30.2 Command Reference](../../index.html) » + * [AWS CLI 2.30.5 Command Reference](../../index.html) »