AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-02-19 · Documentation low

File: cli/latest/reference/kms/re-encrypt.md

Summary

Added new --dry-run-modifiers parameter and updated ciphertext-blob requirements for dry-run operations

Security assessment

Adds same dry-run testing capability as decrypt.md. Documents security testing feature (IGNORE_CIPHERTEXT) but no vulnerability fix. Security impact: Allows permission validation without handling real ciphertext during tests.

Diff

diff --git a/cli/latest/reference/kms/re-encrypt.md b/cli/latest/reference/kms/re-encrypt.md
index e06bb5399..c84d6c03f 100644
--- a//cli/latest/reference/kms/re-encrypt.md
+++ b//cli/latest/reference/kms/re-encrypt.md
@@ -15 +15 @@
-  * [AWS CLI 2.33.22 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.25 Command Reference](../../index.html) »
@@ -106 +106 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
-    --ciphertext-blob <value>
+    [--ciphertext-blob <value>]
@@ -114,0 +115 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
+    [--dry-run-modifiers <value>]
@@ -139 +140 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
-`--ciphertext-blob` (blob) [required]
+`--ciphertext-blob` (blob)
@@ -142,0 +144,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
+> This parameter is required in all cases except when `DryRun` is `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT` .
+> 
@@ -181 +184 @@ JSON Syntax:
-> This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key that you intend.
+> This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key or when `DryRun` is `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT` . If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key that you intend.
@@ -323,0 +327,22 @@ Syntax:
+`--dry-run-modifiers` (list)
+
+> Specifies the modifiers to apply to the dry run operation. `DryRunModifiers` is an optional parameter that only applies when `DryRun` is set to `true` .
+> 
+> When set to `IGNORE_CIPHERTEXT` , KMS performs only authorization validation without ciphertext validation. This allows you to test permissions without requiring a valid ciphertext blob.
+> 
+> To learn more about how to use this parameter, see [Testing your permissions](https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html) in the _Key Management Service Developer Guide_ .
+> 
+> (string)
+>
+>> Possible values:
+>> 
+>>   * `IGNORE_CIPHERTEXT`
+>> 
+
+
+Syntax:
+    
+    
+    "string" "string" ...
+    
+
@@ -597 +622 @@ DestinationKeyMaterialId -> (string)
-  * [AWS CLI 2.33.22 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.25 Command Reference](../../index.html) »