AWS cli documentation change
Summary
Added documentation for new C2PA manifest features including CertificateSecret, SigningKmsKey, and C2paManifest parameters to enable content authenticity signatures. Added FrameControl parameter for video clipping handling.
Security assessment
The changes introduce documentation for digital content authenticity features (C2PA manifests) using AWS Secrets Manager for certificate storage and KMS for signing. While these are security-related features enhancing content integrity, there is no evidence they address a specific existing vulnerability or security incident.
Diff
diff --git a/cli/latest/reference/mediaconvert/update-job-template.md b/cli/latest/reference/mediaconvert/update-job-template.md index 3028da551..d21af0d63 100644 --- a//cli/latest/reference/mediaconvert/update-job-template.md +++ b//cli/latest/reference/mediaconvert/update-job-template.md @@ -15 +15 @@ - * [AWS CLI 2.31.35 Command Reference](../../index.html) » + * [AWS CLI 2.31.37 Command Reference](../../index.html) » @@ -8588,0 +8589,23 @@ JSON Syntax: +>>>>>>> +>>>>>>> C2paManifest -> (string) +>>>>>>> +>>>>>>>> When enabled, a C2PA compliant manifest will be generated, signed and embeded in the output. For more information on C2PA, see <https://c2pa.org/specifications/specifications/2.1/index.html> +>>>>>>>> +>>>>>>>> Possible values: +>>>>>>>> +>>>>>>>> * `INCLUDE` +>>>>>>>> * `EXCLUDE` +>>>>>>>> + +>>>>>>> +>>>>>>> CertificateSecret -> (string) +>>>>>>> +>>>>>>>> Specify the name or ARN of the AWS Secrets Manager secret that contains your C2PA public certificate chain in PEM format. Provide a valid secret name or ARN. Note that your MediaConvert service role must allow access to this secret. The public certificate chain is added to the COSE header (x5chain) for signature validation. Include the signer’s certificate and all intermediate certificates. Do not include the root certificate. For details on COSE, see: <https://opensource.contentauthenticity.org/docs/manifest/signing-manifests> +>>>>>>>> +>>>>>>>> Constraints: +>>>>>>>> +>>>>>>>> * min: `1` +>>>>>>>> * max: `2048` +>>>>>>>> * pattern: `^(arn:[a-z-]+:secretsmanager:[\w-]+:\d{12}:secret:)?[a-zA-Z0-9_\/_+=.@-]*$` +>>>>>>>> + @@ -8654,0 +8678,11 @@ JSON Syntax: +>>>>>>> +>>>>>>> SigningKmsKey -> (string) +>>>>>>> +>>>>>>>> Specify the ID or ARN of the AWS KMS key used to sign the C2PA manifest in your MP4 output. Provide a valid KMS key ARN. Note that your MediaConvert service role must allow access to this key. +>>>>>>>> +>>>>>>>> Constraints: +>>>>>>>> +>>>>>>>> * min: `1` +>>>>>>>> * pattern: `^(arn:aws(-us-gov|-cn)?:kms:[a-z-]{2,6}-(east|west|central|((north|south)(east|west)?))-[1-9]{1,2}:\d{12}:key/)?[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}|mrk-[a-fA-F0-9]{32}$` +>>>>>>>> + @@ -9703,0 +9738,11 @@ JSON Syntax: +>>>>>>> +>>>>>>> C2paManifest -> (string) +>>>>>>> +>>>>>>>> When enabled, a C2PA compliant manifest will be generated, signed and embeded in the output. For more information on C2PA, see <https://c2pa.org/specifications/specifications/2.1/index.html> +>>>>>>>> +>>>>>>>> Possible values: +>>>>>>>> +>>>>>>>> * `INCLUDE` +>>>>>>>> * `EXCLUDE` +>>>>>>>> + @@ -9714,0 +9760,12 @@ JSON Syntax: +>>>>>>> +>>>>>>> CertificateSecret -> (string) +>>>>>>> +>>>>>>>> Specify the name or ARN of the AWS Secrets Manager secret that contains your C2PA public certificate chain in PEM format. Provide a valid secret name or ARN. Note that your MediaConvert service role must allow access to this secret. The public certificate chain is added to the COSE header (x5chain) for signature validation. Include the signer’s certificate and all intermediate certificates. Do not include the root certificate. For details on COSE, see: <https://opensource.contentauthenticity.org/docs/manifest/signing-manifests> +>>>>>>>> +>>>>>>>> Constraints: +>>>>>>>> +>>>>>>>> * min: `1` +>>>>>>>> * max: `2048` +>>>>>>>> * pattern: `^(arn:[a-z-]+:secretsmanager:[\w-]+:\d{12}:secret:)?[a-zA-Z0-9_\/_+=.@-]*$` +>>>>>>>> + @@ -9758,0 +9816,11 @@ JSON Syntax: +>>>>>>> +>>>>>>> SigningKmsKey -> (string) +>>>>>>> +>>>>>>>> Specify the ID or ARN of the AWS KMS key used to sign the C2PA manifest in your MP4 output. Provide a valid KMS key ARN. Note that your MediaConvert service role must allow access to this key. +>>>>>>>> +>>>>>>>> Constraints: +>>>>>>>> +>>>>>>>> * min: `1` +>>>>>>>> * pattern: `^(arn:aws(-us-gov|-cn)?:kms:[a-z-]{2,6}-(east|west|central|((north|south)(east|west)?))-[1-9]{1,2}:\d{12}:key/)?[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}|mrk-[a-fA-F0-9]{32}$` +>>>>>>>> + @@ -12012,0 +12081,11 @@ JSON Syntax: +>>>>>>>> +>>>>>>>> FrameControl -> (string) +>>>>>>>> +>>>>>>>>> Choose how MediaConvert handles start and end times for input clipping with video passthrough. Your input video codec must be H.264 or H.265 to use IFRAME. To clip at the nearest IDR-frame: Choose Nearest IDR. If an IDR-frame is not found at the frame that you specify, MediaConvert uses the next compatible IDR-frame. Note that your output may be shorter than your input clip duration. To clip at the nearest I-frame: Choose Nearest I-frame. If an I-frame is not found at the frame that you specify, MediaConvert uses the next compatible I-frame. Note that your output may be shorter than your input clip duration. We only recommend this setting for special workflows, and when you choose this setting your output may not be compatible with most players. +>>>>>>>>> +>>>>>>>>> Possible values: +>>>>>>>>> +>>>>>>>>> * `NEAREST_IDRFRAME` +>>>>>>>>> * `NEAREST_IFRAME` +>>>>>>>>> + @@ -15091,0 +15171,2 @@ JSON Syntax: + "C2paManifest": "INCLUDE"|"EXCLUDE", + "CertificateSecret": "string", @@ -15097,0 +15179 @@ JSON Syntax: + "SigningKmsKey": "string", @@ -15209,0 +15292 @@ JSON Syntax: + "C2paManifest": "INCLUDE"|"EXCLUDE", @@ -15210,0 +15294 @@ JSON Syntax: + "CertificateSecret": "string", @@ -15214,0 +15299 @@ JSON Syntax: + "SigningKmsKey": "string", @@ -15441,0 +15527 @@ JSON Syntax: + "FrameControl": "NEAREST_IDRFRAME"|"NEAREST_IFRAME", @@ -24440,0 +24527,23 @@ JobTemplate -> (structure) +>>>>>>>> +>>>>>>>> C2paManifest -> (string) +>>>>>>>> +>>>>>>>>> When enabled, a C2PA compliant manifest will be generated, signed and embeded in the output. For more information on C2PA, see <https://c2pa.org/specifications/specifications/2.1/index.html> +>>>>>>>>> +>>>>>>>>> Possible values: +>>>>>>>>> +>>>>>>>>> * `INCLUDE` +>>>>>>>>> * `EXCLUDE` +>>>>>>>>> + +>>>>>>>> +>>>>>>>> CertificateSecret -> (string) +>>>>>>>> +>>>>>>>>> Specify the name or ARN of the AWS Secrets Manager secret that contains your C2PA public certificate chain in PEM format. Provide a valid secret name or ARN. Note that your MediaConvert service role must allow access to this secret. The public certificate chain is added to the COSE header (x5chain) for signature validation. Include the signer’s certificate and all intermediate certificates. Do not include the root certificate. For details on COSE, see: <https://opensource.contentauthenticity.org/docs/manifest/signing-manifests> +>>>>>>>>> +>>>>>>>>> Constraints: +>>>>>>>>> +>>>>>>>>> * min: `1` +>>>>>>>>> * max: `2048` +>>>>>>>>> * pattern: `^(arn:[a-z-]+:secretsmanager:[\w-]+:\d{12}:secret:)?[a-zA-Z0-9_\/_+=.@-]*$` +>>>>>>>>> + @@ -24506,0 +24616,11 @@ JobTemplate -> (structure) +>>>>>>>> +>>>>>>>> SigningKmsKey -> (string) +>>>>>>>> +>>>>>>>>> Specify the ID or ARN of the AWS KMS key used to sign the C2PA manifest in your MP4 output. Provide a valid KMS key ARN. Note that your MediaConvert service role must allow access to this key. +>>>>>>>>> +>>>>>>>>> Constraints: +>>>>>>>>> +>>>>>>>>> * min: `1` +>>>>>>>>> * pattern: `^(arn:aws(-us-gov|-cn)?:kms:[a-z-]{2,6}-(east|west|central|((north|south)(east|west)?))-[1-9]{1,2}:\d{12}:key/)?[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}|mrk-[a-fA-F0-9]{32}$` +>>>>>>>>> + @@ -25555,0 +25676,11 @@ JobTemplate -> (structure) +>>>>>>>> +>>>>>>>> C2paManifest -> (string) +>>>>>>>> +>>>>>>>>> When enabled, a C2PA compliant manifest will be generated, signed and embeded in the output. For more information on C2PA, see <https://c2pa.org/specifications/specifications/2.1/index.html> +>>>>>>>>> +>>>>>>>>> Possible values: +>>>>>>>>> +>>>>>>>>> * `INCLUDE` +>>>>>>>>> * `EXCLUDE` +>>>>>>>>> + @@ -25566,0 +25698,12 @@ JobTemplate -> (structure) +>>>>>>>> +>>>>>>>> CertificateSecret -> (string) +>>>>>>>> +>>>>>>>>> Specify the name or ARN of the AWS Secrets Manager secret that contains your C2PA public certificate chain in PEM format. Provide a valid secret name or ARN. Note that your MediaConvert service role must allow access to this secret. The public certificate chain is added to the COSE header (x5chain) for signature validation. Include the signer’s certificate and all intermediate certificates. Do not include the root certificate. For details on COSE, see: <https://opensource.contentauthenticity.org/docs/manifest/signing-manifests> +>>>>>>>>> +>>>>>>>>> Constraints: +>>>>>>>>> +>>>>>>>>> * min: `1` +>>>>>>>>> * max: `2048` +>>>>>>>>> * pattern: `^(arn:[a-z-]+:secretsmanager:[\w-]+:\d{12}:secret:)?[a-zA-Z0-9_\/_+=.@-]*$` +>>>>>>>>> + @@ -25610,0 +25754,11 @@ JobTemplate -> (structure) +>>>>>>>> +>>>>>>>> SigningKmsKey -> (string) +>>>>>>>> +>>>>>>>>> Specify the ID or ARN of the AWS KMS key used to sign the C2PA manifest in your MP4 output. Provide a valid KMS key ARN. Note that your MediaConvert service role must allow access to this key. +>>>>>>>>> +>>>>>>>>> Constraints: +>>>>>>>>> +>>>>>>>>> * min: `1` +>>>>>>>>> * pattern: `^(arn:aws(-us-gov|-cn)?:kms:[a-z-]{2,6}-(east|west|central|((north|south)(east|west)?))-[1-9]{1,2}:\d{12}:key/)?[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}|mrk-[a-fA-F0-9]{32}$` +>>>>>>>>> + @@ -27864,0 +28019,11 @@ JobTemplate -> (structure) +>>>>>>>>> +>>>>>>>>> FrameControl -> (string) +>>>>>>>>> +>>>>>>>>>> Choose how MediaConvert handles start and end times for input clipping with video passthrough. Your input video codec must be H.264 or H.265 to use IFRAME. To clip at the nearest IDR-frame: Choose Nearest IDR. If an IDR-frame is not found at the frame that you specify, MediaConvert uses the next compatible IDR-frame. Note that your output may be shorter than your input clip duration. To clip at the nearest I-frame: Choose Nearest I-frame. If an I-frame is not found at the frame that you specify, MediaConvert uses the next compatible I-frame. Note that your output may be shorter than your input clip duration. We only recommend this setting for special workflows, and when you choose this setting your output may not be compatible with most players. +>>>>>>>>>> +>>>>>>>>>> Possible values: +>>>>>>>>>> +>>>>>>>>>> * `NEAREST_IDRFRAME` +>>>>>>>>>> * `NEAREST_IFRAME` +>>>>>>>>>> + @@ -30096 +30261 @@ JobTemplate -> (structure) - * [AWS CLI 2.31.35 Command Reference](../../index.html) » + * [AWS CLI 2.31.37 Command Reference](../../index.html) »