AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-11-13 · Documentation low

File: cli/latest/reference/elbv2/create-listener.md

Summary

Clarified ForwardConfig usage for multiple target groups

Security assessment

Operational clarification about load balancer configuration without security impact

Diff

diff --git a/cli/latest/reference/elbv2/create-listener.md b/cli/latest/reference/elbv2/create-listener.md
index d0b22484f..30effbb6c 100644
--- a//cli/latest/reference/elbv2/create-listener.md
+++ b//cli/latest/reference/elbv2/create-listener.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.32 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.35 Command Reference](../../index.html) »
@@ -190 +190,3 @@ JSON Syntax:
->> Each rule must include exactly one of the following types of actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>> Each rule must include exactly one of the following routing actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>> 
+>> Optionally, a rule for an HTTPS listener can also include one of the following user authentication actions: `authenticate-oidc` , `authenticate-cognito` , or `jwt-validation` .
@@ -202,0 +205 @@ JSON Syntax:
+>>>   * `jwt-validation`
@@ -208 +211 @@ JSON Syntax:
->>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to one or more target groups, use `ForwardConfig` instead.
+>>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to multiple target groups, you must use `ForwardConfig` instead.
@@ -451 +454,3 @@ JSON Syntax:
->>> Information for creating an action that distributes requests among one or more target groups. For Network Load Balancers, you can specify a single target group. Specify only when `Type` is `forward` . If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
+>>> Information for creating an action that distributes requests among multiple target groups. Specify only when `Type` is `forward` .
+>>> 
+>>> If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
@@ -455 +460 @@ JSON Syntax:
->>>> The target groups. For Network Load Balancers, you can specify a single target group.
+>>>> The target groups.
@@ -479 +484,45 @@ JSON Syntax:
->>>>> The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>>>>> [Application Load Balancers] The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>> 
+>> JwtValidationConfig -> (structure)
+>>
+>>> [HTTPS listeners] Information for validating JWT access tokens in client requests. Specify only when `Type` is `jwt-validation` .
+>>> 
+>>> JwksEndpoint -> (string) [required]
+>>>
+>>>> The JSON Web Key Set (JWKS) endpoint. This endpoint contains JSON Web Keys (JWK) that are used to validate signatures from the provider.
+>>>> 
+>>>> This must be a full URL, including the HTTPS protocol, the domain, and the path. The maximum length is 256 characters.
+>>> 
+>>> Issuer -> (string) [required]
+>>>
+>>>> The issuer of the JWT. The maximum length is 256 characters.
+>>> 
+>>> AdditionalClaims -> (list)
+>>>
+>>>> Additional claims to validate. The maximum size of the list is 10. We validate the `exp` , `iss` , `nbf` , and `iat` claims by default.
+>>>> 
+>>>> (structure)
+>>>>
+>>>>> Information about an additional claim to validate.
+>>>>> 
+>>>>> Format -> (string) [required]
+>>>>>
+>>>>>> The format of the claim value.
+>>>>>> 
+>>>>>> Possible values:
+>>>>>> 
+>>>>>>   * `single-string`
+>>>>>>   * `string-array`
+>>>>>>   * `space-separated-values`
+>>>>>> 
+
+>>>>> 
+>>>>> Name -> (string) [required]
+>>>>>
+>>>>>> The name of the claim. You can’t specify `exp` , `iss` , `nbf` , or `iat` because we validate them by default.
+>>>>> 
+>>>>> Values -> (list) [required]
+>>>>>
+>>>>>> The claim value. The maximum size of the list is 10. Each value can be up to 256 characters in length. If the format is `space-separated-values` , the values can’t include spaces.
+>>>>>> 
+>>>>>> (string)
@@ -486 +535 @@ JSON Syntax:
-        "Type": "forward"|"authenticate-oidc"|"authenticate-cognito"|"redirect"|"fixed-response",
+        "Type": "forward"|"authenticate-oidc"|"authenticate-cognito"|"redirect"|"fixed-response"|"jwt-validation",
@@ -539,0 +589,12 @@ JSON Syntax:
+        },
+        "JwtValidationConfig": {
+          "JwksEndpoint": "string",
+          "Issuer": "string",
+          "AdditionalClaims": [
+            {
+              "Format": "single-string"|"string-array"|"space-separated-values",
+              "Name": "string",
+              "Values": ["string", ...]
+            }
+            ...
+          ]
@@ -970 +1031,3 @@ Listeners -> (list)
->>>> Each rule must include exactly one of the following types of actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>>>> Each rule must include exactly one of the following routing actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>>>> 
+>>>> Optionally, a rule for an HTTPS listener can also include one of the following user authentication actions: `authenticate-oidc` , `authenticate-cognito` , or `jwt-validation` .
@@ -982,0 +1046 @@ Listeners -> (list)
+>>>>>   * `jwt-validation`
@@ -988 +1052 @@ Listeners -> (list)
->>>>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to one or more target groups, use `ForwardConfig` instead.
+>>>>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to multiple target groups, you must use `ForwardConfig` instead.
@@ -1231 +1295,3 @@ Listeners -> (list)
->>>>> Information for creating an action that distributes requests among one or more target groups. For Network Load Balancers, you can specify a single target group. Specify only when `Type` is `forward` . If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
+>>>>> Information for creating an action that distributes requests among multiple target groups. Specify only when `Type` is `forward` .
+>>>>> 
+>>>>> If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
@@ -1235 +1301 @@ Listeners -> (list)
->>>>>> The target groups. For Network Load Balancers, you can specify a single target group.
+>>>>>> The target groups.
@@ -1259 +1325,45 @@ Listeners -> (list)
->>>>>>> The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>>>>>>> [Application Load Balancers] The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>>>> 
+>>>> JwtValidationConfig -> (structure)
+>>>>
+>>>>> [HTTPS listeners] Information for validating JWT access tokens in client requests. Specify only when `Type` is `jwt-validation` .
+>>>>> 
+>>>>> JwksEndpoint -> (string) [required]
+>>>>>
+>>>>>> The JSON Web Key Set (JWKS) endpoint. This endpoint contains JSON Web Keys (JWK) that are used to validate signatures from the provider.
+>>>>>> 
+>>>>>> This must be a full URL, including the HTTPS protocol, the domain, and the path. The maximum length is 256 characters.
+>>>>> 
+>>>>> Issuer -> (string) [required]
+>>>>>
+>>>>>> The issuer of the JWT. The maximum length is 256 characters.
+>>>>> 
+>>>>> AdditionalClaims -> (list)
+>>>>>
+>>>>>> Additional claims to validate. The maximum size of the list is 10. We validate the `exp` , `iss` , `nbf` , and `iat` claims by default.
+>>>>>> 
+>>>>>> (structure)
+>>>>>>
+>>>>>>> Information about an additional claim to validate.
+>>>>>>> 
+>>>>>>> Format -> (string) [required]
+>>>>>>>
+>>>>>>>> The format of the claim value.
+>>>>>>>> 
+>>>>>>>> Possible values:
+>>>>>>>> 
+>>>>>>>>   * `single-string`
+>>>>>>>>   * `string-array`
+>>>>>>>>   * `space-separated-values`
+>>>>>>>> 
+
+>>>>>>> 
+>>>>>>> Name -> (string) [required]
+>>>>>>>
+>>>>>>>> The name of the claim. You can’t specify `exp` , `iss` , `nbf` , or `iat` because we validate them by default.
+>>>>>>> 
+>>>>>>> Values -> (list) [required]
+>>>>>>>
+>>>>>>>> The claim value. The maximum size of the list is 10. Each value can be up to 256 characters in length. If the format is `space-separated-values` , the values can’t include spaces.
+>>>>>>>> 
+>>>>>>>> (string)
@@ -1315 +1425 @@ Listeners -> (list)
-  * [AWS CLI 2.31.32 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.35 Command Reference](../../index.html) »