AWS cli documentation change
Summary
Updated cryptographic terminology (NIST-recommended → NIST-standard), added ED25519 key spec support, and CLI version update
Security assessment
The changes add documentation for new ED25519 cryptographic capabilities and clarify standards compliance. While this enhances security documentation by describing new cryptographic options, there is no evidence it addresses a specific security vulnerability.
Diff
diff --git a/cli/latest/reference/kms/create-key.md b/cli/latest/reference/kms/create-key.md index 68ff64b23..d33254bbd 100644 --- a//cli/latest/reference/kms/create-key.md +++ b//cli/latest/reference/kms/create-key.md @@ -15 +15 @@ - * [AWS CLI 2.31.31 Command Reference](../../index.html) » + * [AWS CLI 2.31.32 Command Reference](../../index.html) » @@ -84 +84 @@ To create an asymmetric KMS key, use the `KeySpec` parameter to specify the type -Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, ML-DSA key pair or an SM2 key pair (China Regions only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey operation to download the public key so it can be used outside of KMS. Each KMS key can have only one key usage. KMS keys with RSA key pairs can be used to encrypt and decrypt data or sign and verify messages (but not both). KMS keys with NIST-recommended ECC key pairs can be used to sign and verify messages or derive shared secrets (but not both). KMS keys with `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS keys with ML-DSA key pairs can be used to sign and verify messages. KMS keys with SM2 key pairs (China Regions only) can be used to either encrypt and decrypt data, sign and verify messages, or derive shared secrets (you must choose one key usage type). For information about asymmetric KMS keys, see [Asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the _Key Management Service Developer Guide_ . +Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, ML-DSA key pair or an SM2 key pair (China Regions only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey operation to download the public key so it can be used outside of KMS. Each KMS key can have only one key usage. KMS keys with RSA key pairs can be used to encrypt and decrypt data or sign and verify messages (but not both). KMS keys with NIST-standard ECC key pairs can be used to sign and verify messages or derive shared secrets (but not both). KMS keys with `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS keys with ML-DSA key pairs can be used to sign and verify messages. KMS keys with SM2 key pairs (China Regions only) can be used to either encrypt and decrypt data, sign and verify messages, or derive shared secrets (you must choose one key usage type). For information about asymmetric KMS keys, see [Asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the _Key Management Service Developer Guide_ . @@ -242 +242 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 -> * For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT` . +> * For asymmetric KMS keys with NIST-standard elliptic curve key pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT` . @@ -305 +305 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 -> * Asymmetric NIST-recommended elliptic curve key pairs (signing and verification -or- deriving shared secrets) +> * Asymmetric NIST-standard elliptic curve key pairs (signing and verification -or- deriving shared secrets) @@ -308,0 +309,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 +> * `ECC_NIST_EDWARDS25519` (ed25519) - signing and verification only +> * **Note:** For ECC_NIST_EDWARDS25519 KMS keys, the ED25519_SHA_512 signing algorithm requires ` `MessageType:RAW` kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType`__ , while ED25519_PH_SHA_512 requires ` `MessageType:DIGEST` kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType`__ . These message types cannot be used interchangeably. @@ -337,0 +340 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 +> * `ECC_NIST_EDWARDS25519` @@ -1148,0 +1152 @@ KeyMetadata -> (structure) +>> * `ECC_NIST_EDWARDS25519` @@ -1189,0 +1194,2 @@ KeyMetadata -> (structure) +>>> * `ED25519_SHA_512` +>>> * `ED25519_PH_SHA_512` @@ -1362 +1368 @@ KeyMetadata -> (structure) - * [AWS CLI 2.31.31 Command Reference](../../index.html) » + * [AWS CLI 2.31.32 Command Reference](../../index.html) »