AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-11-13 · Documentation medium

File: cli/latest/reference/elbv2/set-rule-priorities.md

Summary

Added JWT validation configuration details and clarified routing/target group rules for ALB/HTTPS listeners

Security assessment

Added documentation for JWT validation configuration (authenticate-oidc, authenticate-cognito, jwt-validation) which are security-related authentication features for HTTPS listeners. However, there's no indication this addresses a specific vulnerability.

Diff

diff --git a/cli/latest/reference/elbv2/set-rule-priorities.md b/cli/latest/reference/elbv2/set-rule-priorities.md
index 07ac7dc9b..d2b782adc 100644
--- a//cli/latest/reference/elbv2/set-rule-priorities.md
+++ b//cli/latest/reference/elbv2/set-rule-priorities.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.32 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.35 Command Reference](../../index.html) »
@@ -477 +477,3 @@ Rules -> (list)
->>>> Each rule must include exactly one of the following types of actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>>>> Each rule must include exactly one of the following routing actions: `forward` , `fixed-response` , or `redirect` , and it must be the last action to be performed.
+>>>> 
+>>>> Optionally, a rule for an HTTPS listener can also include one of the following user authentication actions: `authenticate-oidc` , `authenticate-cognito` , or `jwt-validation` .
@@ -489,0 +492 @@ Rules -> (list)
+>>>>>   * `jwt-validation`
@@ -495 +498 @@ Rules -> (list)
->>>>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to one or more target groups, use `ForwardConfig` instead.
+>>>>> The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to multiple target groups, you must use `ForwardConfig` instead.
@@ -738 +741,3 @@ Rules -> (list)
->>>>> Information for creating an action that distributes requests among one or more target groups. For Network Load Balancers, you can specify a single target group. Specify only when `Type` is `forward` . If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
+>>>>> Information for creating an action that distributes requests among multiple target groups. Specify only when `Type` is `forward` .
+>>>>> 
+>>>>> If you specify both `ForwardConfig` and `TargetGroupArn` , you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn` .
@@ -742 +747 @@ Rules -> (list)
->>>>>> The target groups. For Network Load Balancers, you can specify a single target group.
+>>>>>> The target groups.
@@ -766 +771,45 @@ Rules -> (list)
->>>>>>> The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>>>>>>> [Application Load Balancers] The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.
+>>>> 
+>>>> JwtValidationConfig -> (structure)
+>>>>
+>>>>> [HTTPS listeners] Information for validating JWT access tokens in client requests. Specify only when `Type` is `jwt-validation` .
+>>>>> 
+>>>>> JwksEndpoint -> (string) [required]
+>>>>>
+>>>>>> The JSON Web Key Set (JWKS) endpoint. This endpoint contains JSON Web Keys (JWK) that are used to validate signatures from the provider.
+>>>>>> 
+>>>>>> This must be a full URL, including the HTTPS protocol, the domain, and the path. The maximum length is 256 characters.
+>>>>> 
+>>>>> Issuer -> (string) [required]
+>>>>>
+>>>>>> The issuer of the JWT. The maximum length is 256 characters.
+>>>>> 
+>>>>> AdditionalClaims -> (list)
+>>>>>
+>>>>>> Additional claims to validate. The maximum size of the list is 10. We validate the `exp` , `iss` , `nbf` , and `iat` claims by default.
+>>>>>> 
+>>>>>> (structure)
+>>>>>>
+>>>>>>> Information about an additional claim to validate.
+>>>>>>> 
+>>>>>>> Format -> (string) [required]
+>>>>>>>
+>>>>>>>> The format of the claim value.
+>>>>>>>> 
+>>>>>>>> Possible values:
+>>>>>>>> 
+>>>>>>>>   * `single-string`
+>>>>>>>>   * `string-array`
+>>>>>>>>   * `space-separated-values`
+>>>>>>>> 
+
+>>>>>>> 
+>>>>>>> Name -> (string) [required]
+>>>>>>>
+>>>>>>>> The name of the claim. You can’t specify `exp` , `iss` , `nbf` , or `iat` because we validate them by default.
+>>>>>>> 
+>>>>>>> Values -> (list) [required]
+>>>>>>>
+>>>>>>>> The claim value. The maximum size of the list is 10. Each value can be up to 256 characters in length. If the format is `space-separated-values` , the values can’t include spaces.
+>>>>>>>> 
+>>>>>>>> (string)
@@ -846 +895 @@ Rules -> (list)
-  * [AWS CLI 2.31.32 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.35 Command Reference](../../index.html) »