AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2025-10-16 · Security-related medium

File: cli/latest/reference/transcribe/start-call-analytics-job.md

Summary

Updated KMS key documentation to clarify ARN format and required permissions. Removed redundant key specification methods and added link to KMS ARN documentation.

Security assessment

The changes explicitly clarify encryption requirements and expand permission requirements to include both the requesting role and DataAccessRoleArn. This prevents misconfiguration of encryption settings, which could lead to unauthorized access if improperly configured. The update strengthens security documentation by emphasizing proper KMS key usage.

Diff

diff --git a/cli/latest/reference/transcribe/start-call-analytics-job.md b/cli/latest/reference/transcribe/start-call-analytics-job.md
index 12cf135c1..59715738f 100644
--- a//cli/latest/reference/transcribe/start-call-analytics-job.md
+++ b//cli/latest/reference/transcribe/start-call-analytics-job.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.13 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.16 Command Reference](../../index.html) »
@@ -220 +220 @@ JSON Syntax:
-> The KMS key you want to use to encrypt your Call Analytics output.
+> The Amazon Resource Name (ARN) of a KMS key that you want to use to encrypt your Call Analytics output.
@@ -222,15 +222 @@ JSON Syntax:
-> If using a key located in the **current** Amazon Web Services account, you can specify your KMS key in one of four ways:
-> 
->   * Use the KMS key ID itself. For example, `1234abcd-12ab-34cd-56ef-1234567890ab` .
->   * Use an alias for the KMS key ID. For example, `alias/ExampleAlias` .
->   * Use the Amazon Resource Name (ARN) for the KMS key ID. For example, `arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab` .
->   * Use the ARN for the KMS key alias. For example, `arn:aws:kms:region:account-ID:alias/ExampleAlias` .
-> 
-
-> 
-> If using a key located in a **different** Amazon Web Services account than the current Amazon Web Services account, you can specify your KMS key in one of two ways:
-> 
->   * Use the ARN for the KMS key ID. For example, `arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab` .
->   * Use the ARN for the KMS key alias. For example, `arn:aws:kms:region:account-ID:alias/ExampleAlias` .
-> 
-
+> KMS key ARNs have the format `arn:partition:kms:region:account:key/key-id` . For example: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` . For more information, see [KMS key ARNs](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) .
@@ -240,3 +226 @@ JSON Syntax:
-> If you specify a KMS key to encrypt your output, you must also specify an output location using the `OutputLocation` parameter.
-> 
-> Note that the role making the request must have permission to use the specified KMS key.
+> Note that the role making the request and the role specified in the `DataAccessRoleArn` request parameter (if present) must have permission to use the specified KMS key.
@@ -1860 +1844 @@ CallAnalyticsJob -> (structure)
-  * [AWS CLI 2.31.13 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.16 Command Reference](../../index.html) »