AWS cli documentation change
Summary
Updated CLI reference documentation for 'update-app-monitor' command with parameter reordering, added constraints, clarified authorization requirements, and restructured configuration options
Security assessment
The changes include clarifications about Amazon Cognito authorization requirements and IAM role configurations, which are security-related documentation improvements. However, there is no evidence of addressing a specific security vulnerability. The added constraints (e.g., regex patterns for domains) improve input validation but don't explicitly fix a security flaw.
Diff
diff --git a/cli/latest/reference/rum/update-app-monitor.md b/cli/latest/reference/rum/update-app-monitor.md index f2b4f9798..913b66be7 100644 --- a//cli/latest/reference/rum/update-app-monitor.md +++ b//cli/latest/reference/rum/update-app-monitor.md @@ -15 +15 @@ - * [AWS CLI 2.31.39 Command Reference](../../index.html) » + * [AWS CLI 2.32.3 Command Reference](../../index.html) » @@ -72,0 +73,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 + --name <value> + [--domain <value>] + [--domain-list <value>] @@ -74 +76,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 - [--custom-events <value>] @@ -75,0 +78 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 + [--custom-events <value>] @@ -77,3 +79,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 - [--domain <value>] - [--domain-list <value>] - --name <value> @@ -104 +104 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 -`--app-monitor-configuration` (structure) +`--name` (string) [required] @@ -106 +106 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 -> A structure that contains much of the configuration data for the app monitor. If you are using Amazon Cognito for authorization, you must include this structure in your request, and it must include the ID of the Amazon Cognito identity pool to use for authorization. If you don’t include `AppMonitorConfiguration` , you must set up your own authorization method. For more information, see [Authorize your application to send data to Amazon Web Services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-get-started-authorization.html) . +> The name of the app monitor to update. @@ -108 +108 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 -> AllowCookies -> (boolean) +> Constraints: @@ -110 +110,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> If you set this to `true` , the RUM web client sets two cookies, a session cookie and a user cookie. The cookies allow the RUM web client to collect data relating to the number of users an application has and the behavior of the application across a sequence of events. Cookies are stored in the top-level domain of the current page. +> * min: `1` +> * max: `255` +> * pattern: `(?!\.)[\.\-_#A-Za-z0-9]+` @@ -112 +114,5 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 -> EnableXRay -> (boolean) + + +`--domain` (string) + +> The top-level internet domain name for which your application has administrative authority. @@ -114 +120 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> If you set this to `true` , RUM enables X-Ray tracing for the user sessions that RUM samples. RUM adds an X-Ray trace header to allowed HTTP requests. It also records an X-Ray segment for allowed HTTP requests. You can see traces and segments from these user sessions in the X-Ray console and the CloudWatch ServiceLens console. For more information, see [What is X-Ray?](https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html) +> Constraints: @@ -116 +122,18 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 -> ExcludedPages -> (list) +> * min: `1` +> * max: `253` +> * pattern: `(localhost)$|^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|(?=^[a-zA-Z0-9\.\*-]{4,253}$)(?!.*\.-)(?!.*-\.)(?!.*\.\.)(?!.*[^\.]{64,})^(\*\.)?(?![-\.\*])[^\*]{1,}\.(\*|(?!.*--)(?=.*[a-zA-Z])[^\*]{1,}[^\*-])` +> + + +`--domain-list` (list) + +> List the domain names for which your application has administrative authority. The `UpdateAppMonitor` allows either the domain or the domain list. +> +> Constraints: +> +> * min: `1` +> * max: `5` +> + +> +> (string) @@ -118,4 +140,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> A list of URLs in your website or application to exclude from RUM data collection. ->> ->> You can’t include both `ExcludedPages` and `IncludedPages` in the same operation. ->> @@ -124,2 +143,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> * min: `0` ->> * max: `50` +>> * min: `1` +>> * max: `253` +>> * pattern: `(localhost)$|^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|(?=^[a-zA-Z0-9\.\*-]{4,253}$)(?!.*\.-)(?!.*-\.)(?!.*\.\.)(?!.*[^\.]{64,})^(\*\.)?(?![-\.\*])[^\*]{1,}\.(\*|(?!.*--)(?=.*[a-zA-Z])[^\*]{1,}[^\*-])` @@ -128,9 +147,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> ->> (string) ->> ->>> Constraints: ->>> ->>> * min: `1` ->>> * max: `1260` ->>> * pattern: `https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&*//=]*)` ->>> @@ -137,0 +149,9 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 +Syntax: + + + "string" "string" ... + + +`--app-monitor-configuration` (structure) + +> A structure that contains much of the configuration data for the app monitor. If you are using Amazon Cognito for authorization, you must include this structure in your request, and it must include the ID of the Amazon Cognito identity pool to use for authorization. If you don’t include `AppMonitorConfiguration` , you must set up your own authorization method. For more information, see [Authorize your application to send data to Amazon Web Services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-get-started-authorization.html) . @@ -139 +159 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 -> FavoritePages -> (list) +> IdentityPoolId -> (string) @@ -141 +161 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> A list of pages in your application that are to be displayed with a “favorite” icon in the CloudWatch RUM console. +>> The ID of the Amazon Cognito identity pool that is used to authorize the sending of data to RUM. @@ -145,2 +165,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> * min: `0` ->> * max: `50` +>> * min: `1` +>> * max: `55` +>> * pattern: `.*[\w-]+:[0-9a-f-]+.*` @@ -149,2 +169,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> ->> (string) @@ -152 +171 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 -> GuestRoleArn -> (string) +> ExcludedPages -> (list) @@ -154,10 +173 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> The ARN of the guest IAM role that is attached to the Amazon Cognito identity pool that is used to authorize the sending of data to RUM. ->> ->> ### Note ->> ->> It is possible that an app monitor does not have a value for `GuestRoleArn` . For example, this can happen when you use the console to create an app monitor and you allow CloudWatch RUM to create a new identity pool for Authorization. In this case, `GuestRoleArn` is not present in the [GetAppMonitor](https://docs.aws.amazon.com/cloudwatchrum/latest/APIReference/API_GetAppMonitor.html) response because it is not stored by the service. ->> ->> If this issue affects you, you can take one of the following steps: ->> ->> * Use the Cloud Development Kit (CDK) to create an identity pool and the associated IAM role, and use that for your app monitor. ->> * Make a separate [GetIdentityPoolRoles](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetIdentityPoolRoles.html) call to Amazon Cognito to retrieve the `GuestRoleArn` . +>> A list of URLs in your website or application to exclude from RUM data collection. @@ -165 +175 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 - +>> You can’t include both `ExcludedPages` and `IncludedPages` in the same operation. @@ -169 +179,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> * pattern: `arn:[^:]*:[^:]*:[^:]*:[^:]*:.*` +>> * min: `0` +>> * max: `50` @@ -172,6 +182,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 -> -> IdentityPoolId -> (string) -> ->> The ID of the Amazon Cognito identity pool that is used to authorize the sending of data to RUM. ->> ->> Constraints: @@ -179,3 +184 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->> * min: `1` ->> * max: `55` ->> * pattern: `[\w-]+:[0-9a-f-]+` +>> (string) @@ -182,0 +186,6 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `1260` +>>> * pattern: `.*https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&*//=]*).*` +>>> @@ -204 +213 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 ->>> * pattern: `https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&*//=]*)` +>>> * pattern: `.*https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&*//=]*).*` @@ -206,0 +216,13 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 +> +> FavoritePages -> (list) +> +>> A list of pages in your application that are to be displayed with a “favorite” icon in the CloudWatch RUM console. +>> +>> Constraints: +>> +>> * min: `0` +>> * max: `50` +>> + +>> +>> (string) @@ -221,0 +244,25 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 +> +> GuestRoleArn -> (string) +> +>> The ARN of the guest IAM role that is attached to the Amazon Cognito identity pool that is used to authorize the sending of data to RUM. +>> +>> ### Note +>> +>> It is possible that an app monitor does not have a value for `GuestRoleArn` . For example, this can happen when you use the console to create an app monitor and you allow CloudWatch RUM to create a new identity pool for Authorization. In this case, `GuestRoleArn` is not present in the [GetAppMonitor](https://docs.aws.amazon.com/cloudwatchrum/latest/APIReference/API_GetAppMonitor.html) response because it is not stored by the service. +>> +>> If this issue affects you, you can take one of the following steps: +>> +>> * Use the Cloud Development Kit (CDK) to create an identity pool and the associated IAM role, and use that for your app monitor. +>> * Make a separate [GetIdentityPoolRoles](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetIdentityPoolRoles.html) call to Amazon Cognito to retrieve the `GuestRoleArn` . +>> + +>> +>> Constraints: +>> +>> * pattern: `.*arn:[^:]*:[^:]*:[^:]*:[^:]*:.*` +>> + +> +> AllowCookies -> (boolean) +> +>> If you set this to `true` , the RUM web client sets two cookies, a session cookie and a user cookie. The cookies allow the RUM web client to collect data relating to the number of users an application has and the behavior of the application across a sequence of events. Cookies are stored in the top-level domain of the current page. @@ -241,0 +289,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rum-20 +> +> EnableXRay -> (boolean) +> +>> If you set this to `true` , RUM enables X-Ray tracing for the user sessions that RUM samples. RUM adds an X-Ray trace header to allowed HTTP requests. It also records an X-Ray segment for allowed HTTP requests. You can see traces and segments from these user sessions in the X-Ray console and the CloudWatch ServiceLens console. For more information, see [What is X-Ray?](https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html) @@ -246 +297 @@ Shorthand Syntax: - AllowCookies=boolean,EnableXRay=boolean,ExcludedPages=string,string,FavoritePages=string,string,GuestRoleArn=string,IdentityPoolId=string,IncludedPages=string,string,SessionSampleRate=double,Telemetries=string,string