AWS cli documentation change
Summary
Added new --dry-run-modifiers parameter and updated ciphertext-blob requirements for dry-run operations
Security assessment
Introduces IGNORE_CIPHERTEXT modifier for permission testing without valid ciphertext. This documents a security testing feature but doesn't address a vulnerability. Security impact: Enables safer permission validation without exposing real ciphertext.
Diff
diff --git a/cli/latest/reference/kms/decrypt.md b/cli/latest/reference/kms/decrypt.md index 2bda2942e..8a2b2ba2f 100644 --- a//cli/latest/reference/kms/decrypt.md +++ b//cli/latest/reference/kms/decrypt.md @@ -15 +15 @@ - * [AWS CLI 2.33.22 Command Reference](../../index.html) » + * [AWS CLI 2.33.25 Command Reference](../../index.html) » @@ -103 +103 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 - --ciphertext-blob <value> + [--ciphertext-blob <value>] @@ -109,0 +110 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 + [--dry-run-modifiers <value>] @@ -134 +135 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 -`--ciphertext-blob` (blob) [required] +`--ciphertext-blob` (blob) @@ -137,0 +139,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 +> This parameter is required in all cases except when `DryRun` is `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT` . +> @@ -204 +207 @@ Syntax: -> This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key that you intend. +> This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key or when `DryRun` is `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT` . If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key that you intend. @@ -292,0 +296,22 @@ JSON Syntax: +`--dry-run-modifiers` (list) + +> Specifies the modifiers to apply to the dry run operation. `DryRunModifiers` is an optional parameter that only applies when `DryRun` is set to `true` . +> +> When set to `IGNORE_CIPHERTEXT` , KMS performs only authorization validation without ciphertext validation. This allows you to test permissions without requiring a valid ciphertext blob. +> +> To learn more about how to use this parameter, see [Testing your permissions](https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html) in the _Key Management Service Developer Guide_ . +> +> (string) +> +>> Possible values: +>> +>> * `IGNORE_CIPHERTEXT` +>> + + +Syntax: + + + "string" "string" ... + + @@ -562 +587 @@ KeyMaterialId -> (string) - * [AWS CLI 2.33.22 Command Reference](../../index.html) » + * [AWS CLI 2.33.25 Command Reference](../../index.html) »