AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-11-13 · Documentation low

File: cli/latest/reference/elbv2/create-rule.md

Summary

Clarified target group routing rules and stickiness duration scope

Security assessment

Changes relate to general load balancing configuration (multiple target groups, Application Load Balancer specificity) without security implications

Diff

diff --git a/cli/latest/reference/elbv2/create-rule.md b/cli/latest/reference/elbv2/create-rule.md
index 438bf3dcc..8dbe5e5ca 100644
--- a//cli/latest/reference/elbv2/create-rule.md
+++ b//cli/latest/reference/elbv2/create-rule.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.32 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.35 Command Reference](../../index.html) »
@@ -336 +336,3 @@ JSON Syntax:
->> Each rule must include exactly one of the following types of actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>> Each rule must include exactly one of the following routing actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>> 
+>> Optionally, a rule for an HTTPS listener can also include one of the following user authentication actions: `authenticate-oidc` , `authenticate-cognito` , or `jwt-validation` .
@@ -348,0 +351 @@ JSON Syntax:
+>>>   * `jwt-validation`
@@ -354 +357 @@ JSON Syntax:
->>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to one or more target groups, use `ForwardConfig` instead.
+>>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to multiple target groups, you must use `ForwardConfig` instead.
@@ -597 +600,3 @@ JSON Syntax:
->>> Information for creating an action that distributes requests among one or more target groups. For Network Load Balancers, you can specify a single target group. Specify only when `Type` is `forward` . If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
+>>> Information for creating an action that distributes requests among multiple target groups. Specify only when `Type` is `forward` .
+>>> 
+>>> If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
@@ -601 +606 @@ JSON Syntax:
->>>> The target groups. For Network Load Balancers, you can specify a single target group.
+>>>> The target groups.
@@ -625 +630,45 @@ JSON Syntax:
->>>>> The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>>>>> [Application Load Balancers] The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>> 
+>> JwtValidationConfig -> (structure)
+>>
+>>> [HTTPS listeners] Information for validating JWT access tokens in client requests. Specify only when `Type` is `jwt-validation` .
+>>> 
+>>> JwksEndpoint -> (string) [required]
+>>>
+>>>> The JSON Web Key Set (JWKS) endpoint. This endpoint contains JSON Web Keys (JWK) that are used to validate signatures from the provider.
+>>>> 
+>>>> This must be a full URL, including the HTTPS protocol, the domain, and the path. The maximum length is 256 characters.
+>>> 
+>>> Issuer -> (string) [required]
+>>>
+>>>> The issuer of the JWT. The maximum length is 256 characters.
+>>> 
+>>> AdditionalClaims -> (list)
+>>>
+>>>> Additional claims to validate. The maximum size of the list is 10. We validate the `exp` , `iss` , `nbf` , and `iat` claims by default.
+>>>> 
+>>>> (structure)
+>>>>
+>>>>> Information about an additional claim to validate.
+>>>>> 
+>>>>> Format -> (string) [required]
+>>>>>
+>>>>>> The format of the claim value.
+>>>>>> 
+>>>>>> Possible values:
+>>>>>> 
+>>>>>>   * `single-string`
+>>>>>>   * `string-array`
+>>>>>>   * `space-separated-values`
+>>>>>> 
+
+>>>>> 
+>>>>> Name -> (string) [required]
+>>>>>
+>>>>>> The name of the claim. You can’t specify `exp` , `iss` , `nbf` , or `iat` because we validate them by default.
+>>>>> 
+>>>>> Values -> (list) [required]
+>>>>>
+>>>>>> The claim value. The maximum size of the list is 10. Each value can be up to 256 characters in length. If the format is `space-separated-values` , the values can’t include spaces.
+>>>>>> 
+>>>>>> (string)
@@ -632 +681 @@ JSON Syntax:
-        "Type": "forward"|"authenticate-oidc"|"authenticate-cognito"|"redirect"|"fixed-response",
+        "Type": "forward"|"authenticate-oidc"|"authenticate-cognito"|"redirect"|"fixed-response"|"jwt-validation",
@@ -685,0 +735,12 @@ JSON Syntax:
+        },
+        "JwtValidationConfig": {
+          "JwksEndpoint": "string",
+          "Issuer": "string",
+          "AdditionalClaims": [
+            {
+              "Format": "single-string"|"string-array"|"space-separated-values",
+              "Name": "string",
+              "Values": ["string", ...]
+            }
+            ...
+          ]
@@ -1266 +1327,3 @@ Rules -> (list)
->>>> Each rule must include exactly one of the following types of actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>>>> Each rule must include exactly one of the following routing actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>>>> 
+>>>> Optionally, a rule for an HTTPS listener can also include one of the following user authentication actions: `authenticate-oidc` , `authenticate-cognito` , or `jwt-validation` .
@@ -1278,0 +1342 @@ Rules -> (list)
+>>>>>   * `jwt-validation`
@@ -1284 +1348 @@ Rules -> (list)
->>>>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to one or more target groups, use `ForwardConfig` instead.
+>>>>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to multiple target groups, you must use `ForwardConfig` instead.
@@ -1527 +1591,3 @@ Rules -> (list)
->>>>> Information for creating an action that distributes requests among one or more target groups. For Network Load Balancers, you can specify a single target group. Specify only when `Type` is `forward` . If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
+>>>>> Information for creating an action that distributes requests among multiple target groups. Specify only when `Type` is `forward` .
+>>>>> 
+>>>>> If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
@@ -1531 +1597 @@ Rules -> (list)
->>>>>> The target groups. For Network Load Balancers, you can specify a single target group.
+>>>>>> The target groups.
@@ -1555 +1621,45 @@ Rules -> (list)
->>>>>>> The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>>>>>>> [Application Load Balancers] The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>>>> 
+>>>> JwtValidationConfig -> (structure)
+>>>>
+>>>>> [HTTPS listeners] Information for validating JWT access tokens in client requests. Specify only when `Type` is `jwt-validation` .
+>>>>> 
+>>>>> JwksEndpoint -> (string) [required]
+>>>>>
+>>>>>> The JSON Web Key Set (JWKS) endpoint. This endpoint contains JSON Web Keys (JWK) that are used to validate signatures from the provider.
+>>>>>> 
+>>>>>> This must be a full URL, including the HTTPS protocol, the domain, and the path. The maximum length is 256 characters.
+>>>>> 
+>>>>> Issuer -> (string) [required]
+>>>>>
+>>>>>> The issuer of the JWT. The maximum length is 256 characters.
+>>>>> 
+>>>>> AdditionalClaims -> (list)
+>>>>>
+>>>>>> Additional claims to validate. The maximum size of the list is 10. We validate the `exp` , `iss` , `nbf` , and `iat` claims by default.
+>>>>>> 
+>>>>>> (structure)
+>>>>>>
+>>>>>>> Information about an additional claim to validate.
+>>>>>>> 
+>>>>>>> Format -> (string) [required]
+>>>>>>>
+>>>>>>>> The format of the claim value.
+>>>>>>>> 
+>>>>>>>> Possible values:
+>>>>>>>> 
+>>>>>>>>   * `single-string`
+>>>>>>>>   * `string-array`
+>>>>>>>>   * `space-separated-values`
+>>>>>>>> 
+
+>>>>>>> 
+>>>>>>> Name -> (string) [required]
+>>>>>>>
+>>>>>>>> The name of the claim. You can’t specify `exp` , `iss` , `nbf` , or `iat` because we validate them by default.
+>>>>>>> 
+>>>>>>> Values -> (list) [required]
+>>>>>>>
+>>>>>>>> The claim value. The maximum size of the list is 10. Each value can be up to 256 characters in length. If the format is `space-separated-values` , the values can’t include spaces.
+>>>>>>>> 
+>>>>>>>> (string)
@@ -1635 +1745 @@ Rules -> (list)
-  * [AWS CLI 2.31.32 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.35 Command Reference](../../index.html) »