AWS cli documentation change
Summary
Added support for ClientCertificateAttribute in conditions and two new actions (Bounce and InvokeLambda) for rule sets. Updated CLI version reference from 2.34.20 to 2.34.21.
Security assessment
The change introduces new features: the ability to use client certificate attributes (which are part of TLS mutual authentication) in rule conditions, and two new actions (Bounce and InvokeLambda) for email processing. While client certificate attributes and bounce actions can be used for security purposes (authentication and email rejection), there is no evidence that this change addresses a specific security vulnerability. Therefore, it is not directly related to a security issue but does add documentation about security-related features.
Diff
diff --git a/cli/latest/reference/mailmanager/create-rule-set.md b/cli/latest/reference/mailmanager/create-rule-set.md index 2407441fd..322b4985f 100644 --- a//cli/latest/reference/mailmanager/create-rule-set.md +++ b//cli/latest/reference/mailmanager/create-rule-set.md @@ -15 +15 @@ - * [AWS CLI 2.34.20 Command Reference](../../index.html) » + * [AWS CLI 2.34.21 Command Reference](../../index.html) » @@ -268 +268 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma ->>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`. +>>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`, `ClientCertificateAttribute`. @@ -321,0 +322,17 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma +>>>>>> +>>>>>> ClientCertificateAttribute -> (string) +>>>>>> +>>>>>>> The client certificate attribute to evaluate in a string condition expression. +>>>>>>> +>>>>>>> Possible values: +>>>>>>> +>>>>>>> * `CN` +>>>>>>> * `SAN_RFC822_NAME` +>>>>>>> * `SAN_DNS_NAME` +>>>>>>> * `SAN_DIRECTORY_NAME` +>>>>>>> * `SAN_UNIFORM_RESOURCE_IDENTIFIER` +>>>>>>> * `SAN_IP_ADDRESS` +>>>>>>> * `SAN_REGISTERED_ID` +>>>>>>> * `SERIAL_NUMBER` +>>>>>>> + @@ -692 +709 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma ->>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`. +>>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`, `ClientCertificateAttribute`. @@ -745,0 +763,17 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma +>>>>>> +>>>>>> ClientCertificateAttribute -> (string) +>>>>>> +>>>>>>> The client certificate attribute to evaluate in a string condition expression. +>>>>>>> +>>>>>>> Possible values: +>>>>>>> +>>>>>>> * `CN` +>>>>>>> * `SAN_RFC822_NAME` +>>>>>>> * `SAN_DNS_NAME` +>>>>>>> * `SAN_DIRECTORY_NAME` +>>>>>>> * `SAN_UNIFORM_RESOURCE_IDENTIFIER` +>>>>>>> * `SAN_IP_ADDRESS` +>>>>>>> * `SAN_REGISTERED_ID` +>>>>>>> * `SERIAL_NUMBER` +>>>>>>> + @@ -1011 +1045 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma ->>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Drop`, `Relay`, `Archive`, `WriteToS3`, `Send`, `AddHeader`, `ReplaceRecipient`, `DeliverToMailbox`, `DeliverToQBusiness`, `PublishToSns`. +>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Drop`, `Relay`, `Archive`, `WriteToS3`, `Send`, `AddHeader`, `ReplaceRecipient`, `DeliverToMailbox`, `DeliverToQBusiness`, `PublishToSns`, `Bounce`, `InvokeLambda`. @@ -1373,0 +1408,148 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma +>>>> +>>>> Bounce -> (structure) +>>>> +>>>>> This action sends a bounce response for the email. +>>>>> +>>>>> ActionFailurePolicy -> (string) +>>>>> +>>>>>> A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the caller does not have the permissions to call the SendBounce API. +>>>>>> +>>>>>> Possible values: +>>>>>> +>>>>>> * `CONTINUE` +>>>>>> * `DROP` +>>>>>> + +>>>>> +>>>>> RoleArn -> (string) [required] +>>>>> +>>>>>> The Amazon Resource Name (ARN) of the IAM role to use to send the bounce message. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `20` +>>>>>> * max: `2048` +>>>>>> * pattern: `[a-zA-Z0-9:_/+=,@.#-]+` +>>>>>> + +>>>>> +>>>>> Sender -> (string) [required] +>>>>> +>>>>>> The sender email address of the bounce message. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `0` +>>>>>> * max: `254` +>>>>>> * pattern: `[a-zA-Z0-9._+-]+@[a-zA-Z0-9.-]+` +>>>>>> + +>>>>> +>>>>> StatusCode -> (string) [required] +>>>>> +>>>>>> The enhanced status code for the bounce, in the format of x.y.z (e.g. 5.1.1). +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `5` +>>>>>> * max: `9` +>>>>>> * pattern: `[45]\.[0-9]{1,3}\.[0-9]{1,3}` +>>>>>> + +>>>>> +>>>>> SmtpReplyCode -> (string) [required] +>>>>> +>>>>>> The SMTP reply code for the bounce, as defined by RFC 5321. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `3` +>>>>>> * max: `3` +>>>>>> * pattern: `[45][0-9][0-9]` +>>>>>> + +>>>>> +>>>>> DiagnosticMessage -> (string) [required] +>>>>> +>>>>>> The diagnostic message included in the Diagnostic-Code header of the bounce. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `256` +>>>>>> * pattern: `[\x20-\x7e]+` +>>>>>> + +>>>>> +>>>>> Message -> (string) +>>>>> +>>>>>> The human-readable text to include in the bounce message. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `500` +>>>>>> * pattern: `[\r\n\x20-\x7e]+` +>>>>>> + +>>>> +>>>> InvokeLambda -> (structure) +>>>> +>>>>> This action invokes an Amazon Web Services Lambda function to process the email. +>>>>> +>>>>> ActionFailurePolicy -> (string) +>>>>> +>>>>>> A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the Amazon Web Services Lambda function no longer exists. +>>>>>> +>>>>>> Possible values: +>>>>>> +>>>>>> * `CONTINUE` +>>>>>> * `DROP` +>>>>>> + +>>>>> +>>>>> FunctionArn -> (string) [required] +>>>>> +>>>>>> The Amazon Resource Name (ARN) of the Lambda function to invoke. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `20` +>>>>>> * max: `2048` +>>>>>> * pattern: `[a-zA-Z0-9:_/+=,@.#-]+` +>>>>>> + +>>>>> +>>>>> InvocationType -> (string) [required] +>>>>> +>>>>>> The invocation type of the Lambda function. Use EVENT for asynchronous invocation or REQUEST_RESPONSE for synchronous invocation. +>>>>>> +>>>>>> Possible values: +>>>>>> +>>>>>> * `EVENT` +>>>>>> * `REQUEST_RESPONSE` +>>>>>> + +>>>>> +>>>>> RoleArn -> (string) [required] +>>>>> +>>>>>> The Amazon Resource Name (ARN) of the IAM role to use to invoke the Lambda function. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `20` +>>>>>> * max: `2048` +>>>>>> * pattern: `[a-zA-Z0-9:_/+=,@.#-]+` +>>>>>> + +>>>>> +>>>>> RetryTimeMinutes -> (integer) +>>>>> +>>>>>> The maximum time in minutes that the email processing can be retried if the Lambda invocation fails. The maximum value is 2160 minutes (36 hours). +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `0` +>>>>>> * max: `2160` +>>>>>>