AWS cli documentation change
Summary
Added new --content-redirection parameter with HostToClient configuration for bidirectional URL redirection between streaming sessions and local clients, including allowed/denied URL pattern lists
Security assessment
This change adds documentation for a new security feature that controls URL redirection from remote desktops to local browsers. It includes security controls like allowed/denied URL lists with pattern matching, HTTPS enforcement, and precedence rules (denied over allowed). While this is a security feature addition, there's no evidence it addresses a specific security vulnerability or incident - it appears to be a new capability for controlling content redirection security.
Diff
diff --git a/cli/latest/reference/appstream/create-stack.md b/cli/latest/reference/appstream/create-stack.md index 8116fae58..c3ebe73e1 100644 --- a//cli/latest/reference/appstream/create-stack.md +++ b//cli/latest/reference/appstream/create-stack.md @@ -15 +15 @@ - * [AWS CLI 2.34.19 Command Reference](../../index.html) » + * [AWS CLI 2.34.20 Command Reference](../../index.html) » @@ -78,0 +79 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/appstr + [--content-redirection <value>] @@ -512,0 +514,76 @@ JSON Syntax: +`--content-redirection` (structure) + +> Configuration for bidirectional URL redirection between the streaming session and the local client. Use HostToClient to redirect URLs from the remote desktop to the local browser. +> +> HostToClient -> (structure) +> +>> Configuration for redirecting URLs from the remote desktop to the local client browser. +>> +>> Enabled -> (boolean) [required] +>> +>>> Whether URL redirection is enabled for this direction. +>> +>> AllowedUrls -> (list) +>> +>>> List of URL patterns that are allowed to be redirected. URLs matching these patterns will be redirected unless they also match a pattern in the denied list. +>>> +>>> Constraints: +>>> +>>> * min: `0` +>>> * max: `100` +>>> + +>>> +>>> (string) +>>> +>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `2048` +>>>> * pattern: `^(\*|https?://[^\s,;]+)$` +>>>> + +>> +>> DeniedUrls -> (list) +>> +>>> List of URL patterns that are denied from redirection. This list takes precedence over the allowed list. +>>> +>>> Constraints: +>>> +>>> * min: `0` +>>> * max: `100` +>>> + +>>> +>>> (string) +>>> +>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `2048` +>>>> * pattern: `^(\*|https?://[^\s,;]+)$` +>>>> + + +Shorthand Syntax: + + + HostToClient={Enabled=boolean,AllowedUrls=[string,string],DeniedUrls=[string,string]} + + +JSON Syntax: + + + { + "HostToClient": { + "Enabled": true|false, + "AllowedUrls": ["string", ...], + "DeniedUrls": ["string", ...] + } + } + + @@ -946,0 +1024,58 @@ Stack -> (structure) +> +> ContentRedirection -> (structure) +> +>> Configuration for bidirectional URL redirection between the streaming session and the local client. Use HostToClient to redirect URLs from the remote desktop to the local browser. +>> +>> HostToClient -> (structure) +>> +>>> Configuration for redirecting URLs from the remote desktop to the local client browser. +>>> +>>> Enabled -> (boolean) [required] +>>> +>>>> Whether URL redirection is enabled for this direction. +>>> +>>> AllowedUrls -> (list) +>>> +>>>> List of URL patterns that are allowed to be redirected. URLs matching these patterns will be redirected unless they also match a pattern in the denied list. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `0` +>>>> * max: `100` +>>>> + +>>>> +>>>> (string) +>>>> +>>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `2048` +>>>>> * pattern: `^(\*|https?://[^\s,;]+)$` +>>>>> + +>>> +>>> DeniedUrls -> (list) +>>> +>>>> List of URL patterns that are denied from redirection. This list takes precedence over the allowed list. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `0` +>>>> * max: `100` +>>>> + +>>>> +>>>> (string) +>>>> +>>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `2048` +>>>>> * pattern: `^(\*|https?://[^\s,;]+)$` +>>>>> + @@ -958 +1093 @@ Stack -> (structure) - * [AWS CLI 2.34.19 Command Reference](../../index.html) » + * [AWS CLI 2.34.20 Command Reference](../../index.html) »