AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-01 · Documentation low

File: cli/latest/reference/mailmanager/get-rule-set.md

Summary

Updated AWS CLI documentation for mailmanager get-rule-set command to add ClientCertificateAttribute condition type and Bounce/InvokeLambda action types, and updated version reference from 2.34.20 to 2.34.21

Security assessment

The change adds documentation for ClientCertificateAttribute condition which enables evaluating client certificate attributes (CN, SAN fields, serial number) for security filtering. It also adds Bounce action for sending bounce responses and InvokeLambda for custom processing. These are security-related features for email filtering and processing, but there's no evidence this addresses a specific security vulnerability.

Diff

diff --git a/cli/latest/reference/mailmanager/get-rule-set.md b/cli/latest/reference/mailmanager/get-rule-set.md
index 484b374ee..d22cc0623 100644
--- a//cli/latest/reference/mailmanager/get-rule-set.md
+++ b//cli/latest/reference/mailmanager/get-rule-set.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.20 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.21 Command Reference](../../index.html) »
@@ -401 +401 @@ Rules -> (list)
->>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`.
+>>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`, `ClientCertificateAttribute`.
@@ -454,0 +455,17 @@ Rules -> (list)
+>>>>>> 
+>>>>>> ClientCertificateAttribute -> (string)
+>>>>>>
+>>>>>>> The client certificate attribute to evaluate in a string condition expression.
+>>>>>>> 
+>>>>>>> Possible values:
+>>>>>>> 
+>>>>>>>   * `CN`
+>>>>>>>   * `SAN_RFC822_NAME`
+>>>>>>>   * `SAN_DNS_NAME`
+>>>>>>>   * `SAN_DIRECTORY_NAME`
+>>>>>>>   * `SAN_UNIFORM_RESOURCE_IDENTIFIER`
+>>>>>>>   * `SAN_IP_ADDRESS`
+>>>>>>>   * `SAN_REGISTERED_ID`
+>>>>>>>   * `SERIAL_NUMBER`
+>>>>>>> 
+
@@ -825 +842 @@ Rules -> (list)
->>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`.
+>>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`, `ClientCertificateAttribute`.
@@ -878,0 +896,17 @@ Rules -> (list)
+>>>>>> 
+>>>>>> ClientCertificateAttribute -> (string)
+>>>>>>
+>>>>>>> The client certificate attribute to evaluate in a string condition expression.
+>>>>>>> 
+>>>>>>> Possible values:
+>>>>>>> 
+>>>>>>>   * `CN`
+>>>>>>>   * `SAN_RFC822_NAME`
+>>>>>>>   * `SAN_DNS_NAME`
+>>>>>>>   * `SAN_DIRECTORY_NAME`
+>>>>>>>   * `SAN_UNIFORM_RESOURCE_IDENTIFIER`
+>>>>>>>   * `SAN_IP_ADDRESS`
+>>>>>>>   * `SAN_REGISTERED_ID`
+>>>>>>>   * `SERIAL_NUMBER`
+>>>>>>> 
+
@@ -1144 +1178 @@ Rules -> (list)
->>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Drop`, `Relay`, `Archive`, `WriteToS3`, `Send`, `AddHeader`, `ReplaceRecipient`, `DeliverToMailbox`, `DeliverToQBusiness`, `PublishToSns`.
+>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Drop`, `Relay`, `Archive`, `WriteToS3`, `Send`, `AddHeader`, `ReplaceRecipient`, `DeliverToMailbox`, `DeliverToQBusiness`, `PublishToSns`, `Bounce`, `InvokeLambda`.
@@ -1506,0 +1541,148 @@ Rules -> (list)
+>>>> 
+>>>> Bounce -> (structure)
+>>>>
+>>>>> This action sends a bounce response for the email.
+>>>>> 
+>>>>> ActionFailurePolicy -> (string)
+>>>>>
+>>>>>> A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the caller does not have the permissions to call the SendBounce API.
+>>>>>> 
+>>>>>> Possible values:
+>>>>>> 
+>>>>>>   * `CONTINUE`
+>>>>>>   * `DROP`
+>>>>>> 
+
+>>>>> 
+>>>>> RoleArn -> (string) [required]
+>>>>>
+>>>>>> The Amazon Resource Name (ARN) of the IAM role to use to send the bounce message.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `20`
+>>>>>>   * max: `2048`
+>>>>>>   * pattern: `[a-zA-Z0-9:_/+=,@.#-]+`
+>>>>>> 
+
+>>>>> 
+>>>>> Sender -> (string) [required]
+>>>>>
+>>>>>> The sender email address of the bounce message.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `0`
+>>>>>>   * max: `254`
+>>>>>>   * pattern: `[a-zA-Z0-9._+-]+@[a-zA-Z0-9.-]+`
+>>>>>> 
+
+>>>>> 
+>>>>> StatusCode -> (string) [required]
+>>>>>
+>>>>>> The enhanced status code for the bounce, in the format of x.y.z (e.g. 5.1.1).
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `5`
+>>>>>>   * max: `9`
+>>>>>>   * pattern: `[45]\.[0-9]{1,3}\.[0-9]{1,3}`
+>>>>>> 
+
+>>>>> 
+>>>>> SmtpReplyCode -> (string) [required]
+>>>>>
+>>>>>> The SMTP reply code for the bounce, as defined by RFC 5321.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `3`
+>>>>>>   * max: `3`
+>>>>>>   * pattern: `[45][0-9][0-9]`
+>>>>>> 
+
+>>>>> 
+>>>>> DiagnosticMessage -> (string) [required]
+>>>>>
+>>>>>> The diagnostic message included in the Diagnostic-Code header of the bounce.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `1`
+>>>>>>   * max: `256`
+>>>>>>   * pattern: `[\x20-\x7e]+`
+>>>>>> 
+
+>>>>> 
+>>>>> Message -> (string)
+>>>>>
+>>>>>> The human-readable text to include in the bounce message.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `1`
+>>>>>>   * max: `500`
+>>>>>>   * pattern: `[\r\n\x20-\x7e]+`
+>>>>>> 
+
+>>>> 
+>>>> InvokeLambda -> (structure)
+>>>>
+>>>>> This action invokes an Amazon Web Services Lambda function to process the email.
+>>>>> 
+>>>>> ActionFailurePolicy -> (string)
+>>>>>
+>>>>>> A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the Amazon Web Services Lambda function no longer exists.
+>>>>>> 
+>>>>>> Possible values:
+>>>>>> 
+>>>>>>   * `CONTINUE`
+>>>>>>   * `DROP`
+>>>>>> 
+
+>>>>> 
+>>>>> FunctionArn -> (string) [required]
+>>>>>
+>>>>>> The Amazon Resource Name (ARN) of the Lambda function to invoke.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `20`
+>>>>>>   * max: `2048`
+>>>>>>   * pattern: `[a-zA-Z0-9:_/+=,@.#-]+`
+>>>>>> 
+
+>>>>> 
+>>>>> InvocationType -> (string) [required]
+>>>>>
+>>>>>> The invocation type of the Lambda function. Use EVENT for asynchronous invocation or REQUEST_RESPONSE for synchronous invocation.
+>>>>>> 
+>>>>>> Possible values:
+>>>>>> 
+>>>>>>   * `EVENT`
+>>>>>>   * `REQUEST_RESPONSE`
+>>>>>> 
+
+>>>>> 
+>>>>> RoleArn -> (string) [required]
+>>>>>
+>>>>>> The Amazon Resource Name (ARN) of the IAM role to use to invoke the Lambda function.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `20`
+>>>>>>   * max: `2048`
+>>>>>>   * pattern: `[a-zA-Z0-9:_/+=,@.#-]+`
+>>>>>> 
+
+>>>>> 
+>>>>> RetryTimeMinutes -> (integer)
+>>>>>
+>>>>>> The maximum time in minutes that the email processing can be retried if the Lambda invocation fails. The maximum value is 2160 minutes (36 hours).
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `0`
+>>>>>>   * max: `2160`
+>>>>>>