AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-02-19 · Documentation low

File: cli/latest/reference/kms/decrypt.md

Summary

Added new --dry-run-modifiers parameter and updated ciphertext-blob requirements for dry-run operations

Security assessment

Introduces IGNORE_CIPHERTEXT modifier for permission testing without valid ciphertext. This documents a security testing feature but doesn't address a vulnerability. Security impact: Enables safer permission validation without exposing real ciphertext.

Diff

diff --git a/cli/latest/reference/kms/decrypt.md b/cli/latest/reference/kms/decrypt.md
index 2bda2942e..8a2b2ba2f 100644
--- a//cli/latest/reference/kms/decrypt.md
+++ b//cli/latest/reference/kms/decrypt.md
@@ -15 +15 @@
-  * [AWS CLI 2.33.22 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.25 Command Reference](../../index.html) »
@@ -103 +103 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
-    --ciphertext-blob <value>
+    [--ciphertext-blob <value>]
@@ -109,0 +110 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
+    [--dry-run-modifiers <value>]
@@ -134 +135 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
-`--ciphertext-blob` (blob) [required]
+`--ciphertext-blob` (blob)
@@ -137,0 +139,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
+> This parameter is required in all cases except when `DryRun` is `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT` .
+> 
@@ -204 +207 @@ Syntax:
-> This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key that you intend.
+> This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key or when `DryRun` is `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT` . If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key that you intend.
@@ -292,0 +296,22 @@ JSON Syntax:
+`--dry-run-modifiers` (list)
+
+> Specifies the modifiers to apply to the dry run operation. `DryRunModifiers` is an optional parameter that only applies when `DryRun` is set to `true` .
+> 
+> When set to `IGNORE_CIPHERTEXT` , KMS performs only authorization validation without ciphertext validation. This allows you to test permissions without requiring a valid ciphertext blob.
+> 
+> To learn more about how to use this parameter, see [Testing your permissions](https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html) in the _Key Management Service Developer Guide_ .
+> 
+> (string)
+>
+>> Possible values:
+>> 
+>>   * `IGNORE_CIPHERTEXT`
+>> 
+
+
+Syntax:
+    
+    
+    "string" "string" ...
+    
+
@@ -562 +587 @@ KeyMaterialId -> (string)
-  * [AWS CLI 2.33.22 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.25 Command Reference](../../index.html) »