AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-03-31 · Documentation medium

File: cli/latest/reference/appstream/create-stack.md

Summary

Added new --content-redirection parameter with HostToClient configuration for bidirectional URL redirection between streaming sessions and local clients, including allowed/denied URL pattern lists

Security assessment

This change adds documentation for a new security feature that controls URL redirection from remote desktops to local browsers. It includes security controls like allowed/denied URL lists with pattern matching, HTTPS enforcement, and precedence rules (denied over allowed). While this is a security feature addition, there's no evidence it addresses a specific security vulnerability or incident - it appears to be a new capability for controlling content redirection security.

Diff

diff --git a/cli/latest/reference/appstream/create-stack.md b/cli/latest/reference/appstream/create-stack.md
index 8116fae58..c3ebe73e1 100644
--- a//cli/latest/reference/appstream/create-stack.md
+++ b//cli/latest/reference/appstream/create-stack.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.19 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.20 Command Reference](../../index.html) »
@@ -78,0 +79 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/appstr
+    [--content-redirection <value>]
@@ -512,0 +514,76 @@ JSON Syntax:
+`--content-redirection` (structure)
+
+> Configuration for bidirectional URL redirection between the streaming session and the local client. Use HostToClient to redirect URLs from the remote desktop to the local browser.
+> 
+> HostToClient -> (structure)
+>
+>> Configuration for redirecting URLs from the remote desktop to the local client browser.
+>> 
+>> Enabled -> (boolean) [required]
+>>
+>>> Whether URL redirection is enabled for this direction.
+>> 
+>> AllowedUrls -> (list)
+>>
+>>> List of URL patterns that are allowed to be redirected. URLs matching these patterns will be redirected unless they also match a pattern in the denied list.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `0`
+>>>   * max: `100`
+>>> 
+
+>>> 
+>>> (string)
+>>>
+>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `2048`
+>>>>   * pattern: `^(\*|https?://[^\s,;]+)$`
+>>>> 
+
+>> 
+>> DeniedUrls -> (list)
+>>
+>>> List of URL patterns that are denied from redirection. This list takes precedence over the allowed list.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `0`
+>>>   * max: `100`
+>>> 
+
+>>> 
+>>> (string)
+>>>
+>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `2048`
+>>>>   * pattern: `^(\*|https?://[^\s,;]+)$`
+>>>> 
+
+
+Shorthand Syntax:
+    
+    
+    HostToClient={Enabled=boolean,AllowedUrls=[string,string],DeniedUrls=[string,string]}
+    
+
+JSON Syntax:
+    
+    
+    {
+      "HostToClient": {
+        "Enabled": true|false,
+        "AllowedUrls": ["string", ...],
+        "DeniedUrls": ["string", ...]
+      }
+    }
+    
+
@@ -946,0 +1024,58 @@ Stack -> (structure)
+> 
+> ContentRedirection -> (structure)
+>
+>> Configuration for bidirectional URL redirection between the streaming session and the local client. Use HostToClient to redirect URLs from the remote desktop to the local browser.
+>> 
+>> HostToClient -> (structure)
+>>
+>>> Configuration for redirecting URLs from the remote desktop to the local client browser.
+>>> 
+>>> Enabled -> (boolean) [required]
+>>>
+>>>> Whether URL redirection is enabled for this direction.
+>>> 
+>>> AllowedUrls -> (list)
+>>>
+>>>> List of URL patterns that are allowed to be redirected. URLs matching these patterns will be redirected unless they also match a pattern in the denied list.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `0`
+>>>>   * max: `100`
+>>>> 
+
+>>>> 
+>>>> (string)
+>>>>
+>>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `2048`
+>>>>>   * pattern: `^(\*|https?://[^\s,;]+)$`
+>>>>> 
+
+>>> 
+>>> DeniedUrls -> (list)
+>>>
+>>>> List of URL patterns that are denied from redirection. This list takes precedence over the allowed list.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `0`
+>>>>   * max: `100`
+>>>> 
+
+>>>> 
+>>>> (string)
+>>>>
+>>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `2048`
+>>>>>   * pattern: `^(\*|https?://[^\s,;]+)$`
+>>>>> 
+
@@ -958 +1093 @@ Stack -> (structure)
-  * [AWS CLI 2.34.19 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.20 Command Reference](../../index.html) »