AWS cli documentation change
Summary
Added documentation for C2PA manifest generation, CertificateSecret parameter, and SigningKmsKey parameter in MediaConvert presets
Security assessment
The changes document new security-related features for content authenticity (C2PA manifests) and cryptographic controls (Secrets Manager integration for certificates and KMS for signing). While these are security features, there is no indication they address existing vulnerabilities.
Diff
diff --git a/cli/latest/reference/mediaconvert/get-preset.md b/cli/latest/reference/mediaconvert/get-preset.md index 1cb02bed6..e3369d6cc 100644 --- a//cli/latest/reference/mediaconvert/get-preset.md +++ b//cli/latest/reference/mediaconvert/get-preset.md @@ -15 +15 @@ - * [AWS CLI 2.31.35 Command Reference](../../index.html) » + * [AWS CLI 2.31.37 Command Reference](../../index.html) » @@ -2971,0 +2972,23 @@ Preset -> (structure) +>>>> +>>>> C2paManifest -> (string) +>>>> +>>>>> When enabled, a C2PA compliant manifest will be generated, signed and embeded in the output. For more information on C2PA, see <https://c2pa.org/specifications/specifications/2.1/index.html> +>>>>> +>>>>> Possible values: +>>>>> +>>>>> * `INCLUDE` +>>>>> * `EXCLUDE` +>>>>> + +>>>> +>>>> CertificateSecret -> (string) +>>>> +>>>>> Specify the name or ARN of the AWS Secrets Manager secret that contains your C2PA public certificate chain in PEM format. Provide a valid secret name or ARN. Note that your MediaConvert service role must allow access to this secret. The public certificate chain is added to the COSE header (x5chain) for signature validation. Include the signer’s certificate and all intermediate certificates. Do not include the root certificate. For details on COSE, see: <https://opensource.contentauthenticity.org/docs/manifest/signing-manifests> +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `2048` +>>>>> * pattern: `^(arn:[a-z-]+:secretsmanager:[\w-]+:\d{12}:secret:)?[a-zA-Z0-9_\/_+=.@-]*$` +>>>>> + @@ -3037,0 +3061,11 @@ Preset -> (structure) +>>>> +>>>> SigningKmsKey -> (string) +>>>> +>>>>> Specify the ID or ARN of the AWS KMS key used to sign the C2PA manifest in your MP4 output. Provide a valid KMS key ARN. Note that your MediaConvert service role must allow access to this key. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * pattern: `^(arn:aws(-us-gov|-cn)?:kms:[a-z-]{2,6}-(east|west|central|((north|south)(east|west)?))-[1-9]{1,2}:\d{12}:key/)?[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}|mrk-[a-fA-F0-9]{32}$` +>>>>> + @@ -4086,0 +4121,11 @@ Preset -> (structure) +>>>> +>>>> C2paManifest -> (string) +>>>> +>>>>> When enabled, a C2PA compliant manifest will be generated, signed and embeded in the output. For more information on C2PA, see <https://c2pa.org/specifications/specifications/2.1/index.html> +>>>>> +>>>>> Possible values: +>>>>> +>>>>> * `INCLUDE` +>>>>> * `EXCLUDE` +>>>>> + @@ -4097,0 +4143,12 @@ Preset -> (structure) +>>>> +>>>> CertificateSecret -> (string) +>>>> +>>>>> Specify the name or ARN of the AWS Secrets Manager secret that contains your C2PA public certificate chain in PEM format. Provide a valid secret name or ARN. Note that your MediaConvert service role must allow access to this secret. The public certificate chain is added to the COSE header (x5chain) for signature validation. Include the signer’s certificate and all intermediate certificates. Do not include the root certificate. For details on COSE, see: <https://opensource.contentauthenticity.org/docs/manifest/signing-manifests> +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `2048` +>>>>> * pattern: `^(arn:[a-z-]+:secretsmanager:[\w-]+:\d{12}:secret:)?[a-zA-Z0-9_\/_+=.@-]*$` +>>>>> + @@ -4141,0 +4199,11 @@ Preset -> (structure) +>>>> +>>>> SigningKmsKey -> (string) +>>>> +>>>>> Specify the ID or ARN of the AWS KMS key used to sign the C2PA manifest in your MP4 output. Provide a valid KMS key ARN. Note that your MediaConvert service role must allow access to this key. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * pattern: `^(arn:aws(-us-gov|-cn)?:kms:[a-z-]{2,6}-(east|west|central|((north|south)(east|west)?))-[1-9]{1,2}:\d{12}:key/)?[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}|mrk-[a-fA-F0-9]{32}$` +>>>>> + @@ -6297,0 +6366,11 @@ Preset -> (structure) +>>>>> +>>>>> FrameControl -> (string) +>>>>> +>>>>>> Choose how MediaConvert handles start and end times for input clipping with video passthrough. Your input video codec must be H.264 or H.265 to use IFRAME. To clip at the nearest IDR-frame: Choose Nearest IDR. If an IDR-frame is not found at the frame that you specify, MediaConvert uses the next compatible IDR-frame. Note that your output may be shorter than your input clip duration. To clip at the nearest I-frame: Choose Nearest I-frame. If an I-frame is not found at the frame that you specify, MediaConvert uses the next compatible I-frame. Note that your output may be shorter than your input clip duration. We only recommend this setting for special workflows, and when you choose this setting your output may not be compatible with most players. +>>>>>> +>>>>>> Possible values: +>>>>>> +>>>>>> * `NEAREST_IDRFRAME` +>>>>>> * `NEAREST_IFRAME` +>>>>>> + @@ -8427 +8506 @@ Preset -> (structure) - * [AWS CLI 2.31.35 Command Reference](../../index.html) » + * [AWS CLI 2.31.37 Command Reference](../../index.html) »