AWS cli documentation change
Summary
Added documentation for C2PA manifest generation, certificate secrets management, and KMS key usage for signing in MediaConvert job templates
Security assessment
The changes introduce documentation for C2PA content authenticity manifests, Secrets Manager integration for certificate storage, and KMS key usage for digital signatures. While these are security-related features (authentication, cryptographic signing, secret management), there is no evidence this addresses an existing security vulnerability. The changes appear to document new security capabilities rather than patch a vulnerability.
Diff
diff --git a/cli/latest/reference/mediaconvert/list-job-templates.md b/cli/latest/reference/mediaconvert/list-job-templates.md index a1c81bf48..5b071f3bc 100644 --- a//cli/latest/reference/mediaconvert/list-job-templates.md +++ b//cli/latest/reference/mediaconvert/list-job-templates.md @@ -15 +15 @@ - * [AWS CLI 2.31.35 Command Reference](../../index.html) » + * [AWS CLI 2.31.37 Command Reference](../../index.html) » @@ -8863,0 +8864,23 @@ JobTemplates -> (list) +>>>>>>>>> +>>>>>>>>> C2paManifest -> (string) +>>>>>>>>> +>>>>>>>>>> When enabled, a C2PA compliant manifest will be generated, signed and embeded in the output. For more information on C2PA, see <https://c2pa.org/specifications/specifications/2.1/index.html> +>>>>>>>>>> +>>>>>>>>>> Possible values: +>>>>>>>>>> +>>>>>>>>>> * `INCLUDE` +>>>>>>>>>> * `EXCLUDE` +>>>>>>>>>> + +>>>>>>>>> +>>>>>>>>> CertificateSecret -> (string) +>>>>>>>>> +>>>>>>>>>> Specify the name or ARN of the AWS Secrets Manager secret that contains your C2PA public certificate chain in PEM format. Provide a valid secret name or ARN. Note that your MediaConvert service role must allow access to this secret. The public certificate chain is added to the COSE header (x5chain) for signature validation. Include the signer’s certificate and all intermediate certificates. Do not include the root certificate. For details on COSE, see: <https://opensource.contentauthenticity.org/docs/manifest/signing-manifests> +>>>>>>>>>> +>>>>>>>>>> Constraints: +>>>>>>>>>> +>>>>>>>>>> * min: `1` +>>>>>>>>>> * max: `2048` +>>>>>>>>>> * pattern: `^(arn:[a-z-]+:secretsmanager:[\w-]+:\d{12}:secret:)?[a-zA-Z0-9_\/_+=.@-]*$` +>>>>>>>>>> + @@ -8929,0 +8953,11 @@ JobTemplates -> (list) +>>>>>>>>> +>>>>>>>>> SigningKmsKey -> (string) +>>>>>>>>> +>>>>>>>>>> Specify the ID or ARN of the AWS KMS key used to sign the C2PA manifest in your MP4 output. Provide a valid KMS key ARN. Note that your MediaConvert service role must allow access to this key. +>>>>>>>>>> +>>>>>>>>>> Constraints: +>>>>>>>>>> +>>>>>>>>>> * min: `1` +>>>>>>>>>> * pattern: `^(arn:aws(-us-gov|-cn)?:kms:[a-z-]{2,6}-(east|west|central|((north|south)(east|west)?))-[1-9]{1,2}:\d{12}:key/)?[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}|mrk-[a-fA-F0-9]{32}$` +>>>>>>>>>> + @@ -9978,0 +10013,11 @@ JobTemplates -> (list) +>>>>>>>>> +>>>>>>>>> C2paManifest -> (string) +>>>>>>>>> +>>>>>>>>>> When enabled, a C2PA compliant manifest will be generated, signed and embeded in the output. For more information on C2PA, see <https://c2pa.org/specifications/specifications/2.1/index.html> +>>>>>>>>>> +>>>>>>>>>> Possible values: +>>>>>>>>>> +>>>>>>>>>> * `INCLUDE` +>>>>>>>>>> * `EXCLUDE` +>>>>>>>>>> + @@ -9989,0 +10035,12 @@ JobTemplates -> (list) +>>>>>>>>> +>>>>>>>>> CertificateSecret -> (string) +>>>>>>>>> +>>>>>>>>>> Specify the name or ARN of the AWS Secrets Manager secret that contains your C2PA public certificate chain in PEM format. Provide a valid secret name or ARN. Note that your MediaConvert service role must allow access to this secret. The public certificate chain is added to the COSE header (x5chain) for signature validation. Include the signer’s certificate and all intermediate certificates. Do not include the root certificate. For details on COSE, see: <https://opensource.contentauthenticity.org/docs/manifest/signing-manifests> +>>>>>>>>>> +>>>>>>>>>> Constraints: +>>>>>>>>>> +>>>>>>>>>> * min: `1` +>>>>>>>>>> * max: `2048` +>>>>>>>>>> * pattern: `^(arn:[a-z-]+:secretsmanager:[\w-]+:\d{12}:secret:)?[a-zA-Z0-9_\/_+=.@-]*$` +>>>>>>>>>> + @@ -10033,0 +10091,11 @@ JobTemplates -> (list) +>>>>>>>>> +>>>>>>>>> SigningKmsKey -> (string) +>>>>>>>>> +>>>>>>>>>> Specify the ID or ARN of the AWS KMS key used to sign the C2PA manifest in your MP4 output. Provide a valid KMS key ARN. Note that your MediaConvert service role must allow access to this key. +>>>>>>>>>> +>>>>>>>>>> Constraints: +>>>>>>>>>> +>>>>>>>>>> * min: `1` +>>>>>>>>>> * pattern: `^(arn:aws(-us-gov|-cn)?:kms:[a-z-]{2,6}-(east|west|central|((north|south)(east|west)?))-[1-9]{1,2}:\d{12}:key/)?[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}|mrk-[a-fA-F0-9]{32}$` +>>>>>>>>>> + @@ -12287,0 +12356,11 @@ JobTemplates -> (list) +>>>>>>>>>> +>>>>>>>>>> FrameControl -> (string) +>>>>>>>>>> +>>>>>>>>>>> Choose how MediaConvert handles start and end times for input clipping with video passthrough. Your input video codec must be H.264 or H.265 to use IFRAME. To clip at the nearest IDR-frame: Choose Nearest IDR. If an IDR-frame is not found at the frame that you specify, MediaConvert uses the next compatible IDR-frame. Note that your output may be shorter than your input clip duration. To clip at the nearest I-frame: Choose Nearest I-frame. If an I-frame is not found at the frame that you specify, MediaConvert uses the next compatible I-frame. Note that your output may be shorter than your input clip duration. We only recommend this setting for special workflows, and when you choose this setting your output may not be compatible with most players. +>>>>>>>>>>> +>>>>>>>>>>> Possible values: +>>>>>>>>>>> +>>>>>>>>>>> * `NEAREST_IDRFRAME` +>>>>>>>>>>> * `NEAREST_IFRAME` +>>>>>>>>>>> + @@ -14523 +14602 @@ NextToken -> (string) - * [AWS CLI 2.31.35 Command Reference](../../index.html) » + * [AWS CLI 2.31.37 Command Reference](../../index.html) »