AWS cli documentation change
Summary
Added new --dry-run-modifiers parameter and updated ciphertext-blob requirements for dry-run operations
Security assessment
Adds same dry-run testing capability as decrypt.md. Documents security testing feature (IGNORE_CIPHERTEXT) but no vulnerability fix. Security impact: Allows permission validation without handling real ciphertext during tests.
Diff
diff --git a/cli/latest/reference/kms/re-encrypt.md b/cli/latest/reference/kms/re-encrypt.md index e06bb5399..c84d6c03f 100644 --- a//cli/latest/reference/kms/re-encrypt.md +++ b//cli/latest/reference/kms/re-encrypt.md @@ -15 +15 @@ - * [AWS CLI 2.33.22 Command Reference](../../index.html) » + * [AWS CLI 2.33.25 Command Reference](../../index.html) » @@ -106 +106 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 - --ciphertext-blob <value> + [--ciphertext-blob <value>] @@ -114,0 +115 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 + [--dry-run-modifiers <value>] @@ -139 +140 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 -`--ciphertext-blob` (blob) [required] +`--ciphertext-blob` (blob) @@ -142,0 +144,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 +> This parameter is required in all cases except when `DryRun` is `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT` . +> @@ -181 +184 @@ JSON Syntax: -> This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key that you intend. +> This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key or when `DryRun` is `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT` . If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key that you intend. @@ -323,0 +327,22 @@ Syntax: +`--dry-run-modifiers` (list) + +> Specifies the modifiers to apply to the dry run operation. `DryRunModifiers` is an optional parameter that only applies when `DryRun` is set to `true` . +> +> When set to `IGNORE_CIPHERTEXT` , KMS performs only authorization validation without ciphertext validation. This allows you to test permissions without requiring a valid ciphertext blob. +> +> To learn more about how to use this parameter, see [Testing your permissions](https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html) in the _Key Management Service Developer Guide_ . +> +> (string) +> +>> Possible values: +>> +>> * `IGNORE_CIPHERTEXT` +>> + + +Syntax: + + + "string" "string" ... + + @@ -597 +622 @@ DestinationKeyMaterialId -> (string) - * [AWS CLI 2.33.22 Command Reference](../../index.html) » + * [AWS CLI 2.33.25 Command Reference](../../index.html) »