AWS cli documentation change
Summary
Added documentation for proxy configuration in browser sessions, including proxy server settings, domain routing rules, authentication credentials via AWS Secrets Manager, and proxy bypass configurations.
Security assessment
The change documents security-related features (proxy authentication using Secrets Manager, domain-based routing) but shows no evidence of addressing a specific vulnerability. It enhances security documentation by detailing credential management and traffic routing controls.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore/get-browser-session.md b/cli/latest/reference/bedrock-agentcore/get-browser-session.md index 7f8d92e16..68eb62169 100644 --- a//cli/latest/reference/bedrock-agentcore/get-browser-session.md +++ b//cli/latest/reference/bedrock-agentcore/get-browser-session.md @@ -15 +15 @@ - * [AWS CLI 2.33.18 Command Reference](../../index.html) » + * [AWS CLI 2.33.21 Command Reference](../../index.html) » @@ -412,0 +413,118 @@ streams -> (structure) +proxyConfiguration -> (structure) + +> The active proxy configuration for this browser session. This field is only present if proxy configuration was provided when the session was started using `StartBrowserSession` . The configuration includes proxy servers, domain bypass rules and the proxy authentication credentials. +> +> proxies -> (list) [required] +> +>> An array of 1-5 proxy server configurations for domain-based routing. Each proxy can specify which domains it handles via `domainPatterns` , enabling flexible routing of different traffic through different proxies based on destination domain. +>> +>> Constraints: +>> +>> * min: `1` +>> * max: `5` +>> + +>> +>> (tagged union structure) +>> +>>> Union type representing different proxy configurations. Currently supports external customer-managed proxies. +>>> +>>> ### Note +>>> +>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `externalProxy`. +>>> +>>> externalProxy -> (structure) +>>> +>>>> Configuration for an external customer-managed proxy server. +>>>> +>>>> server -> (string) [required] +>>>> +>>>>> The hostname of the proxy server. Must be a valid DNS hostname (maximum 253 characters). +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `253` +>>>>> * pattern: `[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*` +>>>>> + +>>>> +>>>> port -> (integer) [required] +>>>> +>>>>> The port number of the proxy server. Valid range: 1-65535. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `65535` +>>>>> + +>>>> +>>>> domainPatterns -> (list) +>>>> +>>>>> Optional array of domain patterns that should route through this specific proxy. Supports `.example.com` for subdomain matching (matches any subdomain of example.com) or `example.com` for exact domain matching. If omitted, this proxy acts as a catch-all for domains not matched by other proxies. Maximum 100 patterns per proxy, each up to 253 characters. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `100` +>>>>> + +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `253` +>>>>>> * pattern: `(\.)?[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*` +>>>>>> + +>>>> +>>>> credentials -> (tagged union structure) +>>>> +>>>>> Optional authentication credentials for the proxy server. If omitted, the proxy is accessed without authentication (useful for IP-allowlisted proxies). +>>>>> +>>>>> ### Note +>>>>> +>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `basicAuth`. +>>>>> +>>>>> basicAuth -> (structure) +>>>>> +>>>>>> HTTP Basic Authentication credentials (username and password) stored in Amazon Web Services Secrets Manager. +>>>>>> +>>>>>> secretArn -> (string) [required] +>>>>>> +>>>>>>> The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret containing proxy credentials. The secret must be a JSON object with `username` and `password` string fields that meet validation requirements. The caller must have `secretsmanager:GetSecretValue` permission for this ARN. Example secret format: `{"username": "proxy_user", "password": "secure_password"}` +>>>>>>> +>>>>>>> Constraints: +>>>>>>> +>>>>>>> * pattern: `arn:aws:secretsmanager:[a-z0-9-]+:[0-9]{12}:secret:[a-zA-Z0-9/_+=.@-]+` +>>>>>>> + +> +> bypass -> (structure) +> +>> Optional configuration for domains that should bypass all proxies and connect directly to their destination, like the internet. Takes precedence over all proxy routing rules. +>> +>> domainPatterns -> (list) +>> +>>> Array of domain patterns that should bypass the proxy. Supports `.amazonaws.com` for subdomain matching or `amazonaws.com` for exact domain matching. Requests to these domains connect directly without using any proxy. Maximum 253 characters per pattern. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `100` +>>> + +>>> +>>> (string) +>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `253` +>>>> * pattern: `(\.)?[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*` +>>>> + + @@ -431 +549 @@ lastUpdatedAt -> (timestamp) - * [AWS CLI 2.33.18 Command Reference](../../index.html) » + * [AWS CLI 2.33.21 Command Reference](../../index.html) »