AWS cli high security documentation change
Summary
Added new data source types (GOOGLE_DRIVE, CONFLUENCE, SHAREPOINT, etc.), updated parameter descriptions, and added detailed configurations for S3 Knowledge Base and Web Crawler data sources
Security assessment
Added security-related parameters including WebCrawler authentication configurations (BASIC_AUTH, SAML) and S3 Knowledge Base role overrides. The WebCrawlerParameters include credential handling details (username/password fields XPaths) and authentication types, which directly impact access control security. The S3KnowledgeBaseParameters documentation explains role escalation capabilities that could bypass account-wide security policies.
Diff
diff --git a/cli/latest/reference/quicksight/describe-data-source.md b/cli/latest/reference/quicksight/describe-data-source.md index 09cc28bab..ec867d137 100644 --- a//cli/latest/reference/quicksight/describe-data-source.md +++ b//cli/latest/reference/quicksight/describe-data-source.md @@ -15 +15 @@ - * [AWS CLI 2.31.10 Command Reference](../../index.html) » + * [AWS CLI 2.31.13 Command Reference](../../index.html) » @@ -266,0 +267,7 @@ DataSource -> (structure) +>> * `GOOGLE_DRIVE` +>> * `CONFLUENCE` +>> * `SHAREPOINT` +>> * `ONE_DRIVE` +>> * `WEB_CRAWLER` +>> * `S3_KNOWLEDGE_BASE` +>> * `QBUSINESS` @@ -296 +303 @@ DataSource -> (structure) ->> The parameters that Amazon QuickSight uses to connect to your underlying source. This is a variant type structure. For this structure to be valid, only one of the attributes can be non-null. +>> The parameters that Quick Sight uses to connect to your underlying source. This is a variant type structure. For this structure to be valid, only one of the attributes can be non-null. @@ -732 +739 @@ DataSource -> (structure) ->>>>> The user whose permissions and group memberships will be used by QuickSight to access the cluster. If this user already exists in your database, QuickSight is granted the same permissions that the user has. If the user doesn’t exist, set the value of `AutoCreateDatabaseUser` to `True` to create a new user with PUBLIC permissions. +>>>>> The user whose permissions and group memberships will be used by Quick Sight to access the cluster. If this user already exists in your database, Amazon Quick Sight is granted the same permissions that the user has. If the user doesn’t exist, set the value of `AutoCreateDatabaseUser` to `True` to create a new user with PUBLIC permissions. @@ -763 +770 @@ DataSource -> (structure) ->>>>> Automatically creates a database user. If your database doesn’t have a `DatabaseUser` , set this parameter to `True` . If there is no `DatabaseUser` , Amazon QuickSight can’t connect to your cluster. The `RoleArn` that you use for this operation must grant access to `redshift:CreateClusterUser` to successfully create the user. +>>>>> Automatically creates a database user. If your database doesn’t have a `DatabaseUser` , set this parameter to `True` . If there is no `DatabaseUser` , Quick Sight can’t connect to your cluster. The `RoleArn` that you use for this operation must grant access to `redshift:CreateClusterUser` to successfully create the user. @@ -814,0 +822,37 @@ DataSource -> (structure) +>> +>> S3KnowledgeBaseParameters -> (structure) +>> +>>> The parameters for S3 Knowledge Base. +>>> +>>> RoleArn -> (string) +>>> +>>>> Use the `RoleArn` structure to override an account-wide role for a specific S3 Knowledge Base data source. For example, say an account administrator has turned off all S3 access with an account-wide role. The administrator can then use `RoleArn` to bypass the account-wide role and allow S3 access for the single S3 Knowledge Base data source that is specified in the structure, even if the account-wide role forbidding S3 access is still active. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `20` +>>>> * max: `2048` +>>>> + +>>> +>>> BucketUrl -> (string) [required] +>>> +>>>> The URL of the S3 bucket that contains the knowledge base data. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `1024` +>>>> + +>>> +>>> MetadataFilesLocation -> (string) +>>> +>>>> The location of metadata files within the S3 bucket that describe the structure and content of the knowledge base. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `1024` +>>>> + @@ -1367,0 +1412,132 @@ DataSource -> (structure) +>> +>> WebCrawlerParameters -> (structure) +>> +>>> The parameters for Web Crawler. +>>> +>>> WebCrawlerAuthType -> (string) [required] +>>> +>>>> The authentication type for the web crawler. The type can be one of the following: +>>>> +>>>> * `NO_AUTH` : No authentication required. +>>>> * `BASIC_AUTH` : Basic authentication using username and password. +>>>> * `SAML` : SAML-based authentication. +>>>> * `FORM` : Form-based authentication. +>>>> + +>>>> +>>>> Possible values: +>>>> +>>>> * `NO_AUTH` +>>>> * `BASIC_AUTH` +>>>> * `FORM` +>>>> * `SAML` +>>>> + +>>> +>>> UsernameFieldXpath -> (string) +>>> +>>>> The XPath expression for locating the username field on the login page. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `1024` +>>>> + +>>> +>>> PasswordFieldXpath -> (string) +>>> +>>>> The XPath expression for locating the password field on the login page. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `1024` +>>>> + +>>> +>>> UsernameButtonXpath -> (string) +>>> +>>>> The XPath expression for locating the username submit button on the login page. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `1024` +>>>> + +>>> +>>> PasswordButtonXpath -> (string) +>>> +>>>> The XPath expression for locating the password submit button on the login page. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `1024` +>>>> + +>>> +>>> LoginPageUrl -> (string) +>>> +>>>> The URL of the login page for the web crawler to authenticate. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `1024` +>>>> + +>>> +>>> WebProxyHostName -> (string) +>>> +>>>> The hostname of the web proxy server for the web crawler. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `256` +>>>> + +>>> +>>> WebProxyPortNumber -> (integer) +>>> +>>>> The port number of the web proxy server for the web crawler. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `0` +>>>> * max: `65535` +>>>> + +>> +>> ConfluenceParameters -> (structure) +>> +>>> The parameters for Confluence. +>>> +>>> ConfluenceUrl -> (string) [required] +>>> +>>>> The URL of the Confluence site to connect to. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `1024` +>>>> + +>> +>> QBusinessParameters -> (structure) +>> +>>> The parameters for Amazon Q Business. +>>> +>>> ApplicationArn -> (string) [required] +>>> +>>>> The Amazon Resource Name (ARN) of the Amazon Q Business application. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `1284` +>>>> * pattern: `^arn:[-a-z0-9]*:qbusiness:[-a-z0-9]*:[0-9]{12}:application/.+` +>>>> + @@ -1382 +1558 @@ DataSource -> (structure) ->>> The parameters that Amazon QuickSight uses to connect to your underlying data source. This is a variant type structure. For this structure to be valid, only one of the attributes can be non-null. +>>> The parameters that Quick Sight uses to connect to your underlying data source. This is a variant type structure. For this structure to be valid, only one of the attributes can be non-null. @@ -1818 +1994 @@ DataSource -> (structure) ->>>>>> The user whose permissions and group memberships will be used by QuickSight to access the cluster. If this user already exists in your database, QuickSight is granted the same permissions that the user has. If the user doesn’t exist, set the value of `AutoCreateDatabaseUser` to `True` to create a new user with PUBLIC permissions.