AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-01-22 · Documentation medium

File: cli/latest/reference/verifiedpermissions/create-policy-store.md

Summary

Added encryption-settings parameter documentation for customer-managed KMS keys and updated CLI version

Security assessment

Introduces documentation for encryption configuration options using customer-managed KMS keys. While this adds security-related documentation about data encryption capabilities, there is no indication it addresses a specific security vulnerability.

Diff

diff --git a/cli/latest/reference/verifiedpermissions/create-policy-store.md b/cli/latest/reference/verifiedpermissions/create-policy-store.md
index 37195b2d9..e9da3c89c 100644
--- a//cli/latest/reference/verifiedpermissions/create-policy-store.md
+++ b//cli/latest/reference/verifiedpermissions/create-policy-store.md
@@ -15 +15 @@
-  * [AWS CLI 2.33.2 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.4 Command Reference](../../index.html) »
@@ -79,0 +80 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/verifi
+    [--encryption-settings <value>]
@@ -192,0 +194,78 @@ JSON Syntax:
+`--encryption-settings` (tagged union structure)
+
+> Specifies the encryption settings used to encrypt the policy store and their child resources. Allows for the ability to use a customer owned KMS key for encryption of data.
+> 
+> This is an optional field to be used when providing a customer-managed KMS key for encryption.
+> 
+> ### Note
+> 
+> This is a Tagged Union structure. Only one of the following top level keys can be set: `kmsEncryptionSettings`, `default`.
+> 
+> kmsEncryptionSettings -> (structure)
+>
+>> The KMS encryption settings for this policy store to encrypt data with. It will contain the customer-managed KMS key, and a user-defined encryption context.
+>> 
+>> key -> (string) [required]
+>>
+>>> The customer-managed KMS key [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) , alias or ID to be used for encryption processes.
+>>> 
+>>> Users can provide the full KMS key ARN, a KMS key alias, or a KMS key ID, but it will be mapped to the full KMS key ARN after policy store creation, and referenced when encrypting child resources.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * pattern: `[a-zA-Z0-9:/_-]+`
+>>> 
+
+>> 
+>> encryptionContext -> (map)
+>>
+>>> User-defined, additional context to be added to encryption processes.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `0`
+>>>   * max: `8192`
+>>> 
+
+>>> 
+>>> key -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>> 
+
+>>> 
+>>> value -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>> 
+
+> 
+> default -> (structure)
+>
+>> Use AWS owned encryption keys for encrypting policy store data.
+
+Shorthand Syntax:
+    
+    
+    kmsEncryptionSettings={key=string,encryptionContext={KeyName1=string,KeyName2=string}},default={}
+    
+
+JSON Syntax:
+    
+    
+    {
+      "kmsEncryptionSettings": {
+        "key": "string",
+        "encryptionContext": {"string": "string"
+          ...}
+      },
+      "default": {
+    
+      }
+    }
+    
+
@@ -406 +485 @@ lastUpdatedDate -> (timestamp)
-  * [AWS CLI 2.33.2 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.4 Command Reference](../../index.html) »