AWS cli documentation change
Summary
Added support for ClientCertificateAttribute in condition expressions and new Bounce and InvokeLambda actions to AWS MailManager rule sets. Updated AWS CLI version reference from 2.34.20 to 2.34.21.
Security assessment
The changes add documentation for new security-related features: 1) ClientCertificateAttribute allows evaluating TLS client certificate attributes (CN, SAN fields, serial number) for authentication and authorization decisions in email rules. 2) Bounce action provides controlled email rejection with configurable failure policies. 3) InvokeLambda action enables custom email processing with IAM role-based permissions. These are feature additions rather than fixes for specific security vulnerabilities.
Diff
diff --git a/cli/latest/reference/mailmanager/update-rule-set.md b/cli/latest/reference/mailmanager/update-rule-set.md index dc7f5b103..1936fa514 100644 --- a//cli/latest/reference/mailmanager/update-rule-set.md +++ b//cli/latest/reference/mailmanager/update-rule-set.md @@ -15 +15 @@ - * [AWS CLI 2.34.20 Command Reference](../../index.html) » + * [AWS CLI 2.34.21 Command Reference](../../index.html) » @@ -267 +267 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma ->>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`. +>>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`, `ClientCertificateAttribute`. @@ -320,0 +321,17 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma +>>>>>> +>>>>>> ClientCertificateAttribute -> (string) +>>>>>> +>>>>>>> The client certificate attribute to evaluate in a string condition expression. +>>>>>>> +>>>>>>> Possible values: +>>>>>>> +>>>>>>> * `CN` +>>>>>>> * `SAN_RFC822_NAME` +>>>>>>> * `SAN_DNS_NAME` +>>>>>>> * `SAN_DIRECTORY_NAME` +>>>>>>> * `SAN_UNIFORM_RESOURCE_IDENTIFIER` +>>>>>>> * `SAN_IP_ADDRESS` +>>>>>>> * `SAN_REGISTERED_ID` +>>>>>>> * `SERIAL_NUMBER` +>>>>>>> + @@ -691 +708 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma ->>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`. +>>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Attribute`, `MimeHeaderAttribute`, `Analysis`, `ClientCertificateAttribute`. @@ -744,0 +762,17 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma +>>>>>> +>>>>>> ClientCertificateAttribute -> (string) +>>>>>> +>>>>>>> The client certificate attribute to evaluate in a string condition expression. +>>>>>>> +>>>>>>> Possible values: +>>>>>>> +>>>>>>> * `CN` +>>>>>>> * `SAN_RFC822_NAME` +>>>>>>> * `SAN_DNS_NAME` +>>>>>>> * `SAN_DIRECTORY_NAME` +>>>>>>> * `SAN_UNIFORM_RESOURCE_IDENTIFIER` +>>>>>>> * `SAN_IP_ADDRESS` +>>>>>>> * `SAN_REGISTERED_ID` +>>>>>>> * `SERIAL_NUMBER` +>>>>>>> + @@ -1010 +1044 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma ->>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Drop`, `Relay`, `Archive`, `WriteToS3`, `Send`, `AddHeader`, `ReplaceRecipient`, `DeliverToMailbox`, `DeliverToQBusiness`, `PublishToSns`. +>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `Drop`, `Relay`, `Archive`, `WriteToS3`, `Send`, `AddHeader`, `ReplaceRecipient`, `DeliverToMailbox`, `DeliverToQBusiness`, `PublishToSns`, `Bounce`, `InvokeLambda`. @@ -1372,0 +1407,148 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/mailma +>>>> +>>>> Bounce -> (structure) +>>>> +>>>>> This action sends a bounce response for the email. +>>>>> +>>>>> ActionFailurePolicy -> (string) +>>>>> +>>>>>> A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the caller does not have the permissions to call the SendBounce API. +>>>>>> +>>>>>> Possible values: +>>>>>> +>>>>>> * `CONTINUE` +>>>>>> * `DROP` +>>>>>> + +>>>>> +>>>>> RoleArn -> (string) [required] +>>>>> +>>>>>> The Amazon Resource Name (ARN) of the IAM role to use to send the bounce message. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `20` +>>>>>> * max: `2048` +>>>>>> * pattern: `[a-zA-Z0-9:_/+=,@.#-]+` +>>>>>> + +>>>>> +>>>>> Sender -> (string) [required] +>>>>> +>>>>>> The sender email address of the bounce message. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `0` +>>>>>> * max: `254` +>>>>>> * pattern: `[a-zA-Z0-9._+-]+@[a-zA-Z0-9.-]+` +>>>>>> + +>>>>> +>>>>> StatusCode -> (string) [required] +>>>>> +>>>>>> The enhanced status code for the bounce, in the format of x.y.z (e.g. 5.1.1). +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `5` +>>>>>> * max: `9` +>>>>>> * pattern: `[45]\.[0-9]{1,3}\.[0-9]{1,3}` +>>>>>> + +>>>>> +>>>>> SmtpReplyCode -> (string) [required] +>>>>> +>>>>>> The SMTP reply code for the bounce, as defined by RFC 5321. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `3` +>>>>>> * max: `3` +>>>>>> * pattern: `[45][0-9][0-9]` +>>>>>> + +>>>>> +>>>>> DiagnosticMessage -> (string) [required] +>>>>> +>>>>>> The diagnostic message included in the Diagnostic-Code header of the bounce. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `256` +>>>>>> * pattern: `[\x20-\x7e]+` +>>>>>> + +>>>>> +>>>>> Message -> (string) +>>>>> +>>>>>> The human-readable text to include in the bounce message. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `500` +>>>>>> * pattern: `[\r\n\x20-\x7e]+` +>>>>>> + +>>>> +>>>> InvokeLambda -> (structure) +>>>> +>>>>> This action invokes an Amazon Web Services Lambda function to process the email. +>>>>> +>>>>> ActionFailurePolicy -> (string) +>>>>> +>>>>>> A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the Amazon Web Services Lambda function no longer exists. +>>>>>> +>>>>>> Possible values: +>>>>>> +>>>>>> * `CONTINUE` +>>>>>> * `DROP` +>>>>>> + +>>>>> +>>>>> FunctionArn -> (string) [required] +>>>>> +>>>>>> The Amazon Resource Name (ARN) of the Lambda function to invoke. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `20` +>>>>>> * max: `2048` +>>>>>> * pattern: `[a-zA-Z0-9:_/+=,@.#-]+` +>>>>>> + +>>>>> +>>>>> InvocationType -> (string) [required] +>>>>> +>>>>>> The invocation type of the Lambda function. Use EVENT for asynchronous invocation or REQUEST_RESPONSE for synchronous invocation. +>>>>>> +>>>>>> Possible values: +>>>>>> +>>>>>> * `EVENT` +>>>>>> * `REQUEST_RESPONSE` +>>>>>> + +>>>>> +>>>>> RoleArn -> (string) [required] +>>>>> +>>>>>> The Amazon Resource Name (ARN) of the IAM role to use to invoke the Lambda function. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `20` +>>>>>> * max: `2048` +>>>>>> * pattern: `[a-zA-Z0-9:_/+=,@.#-]+` +>>>>>> + +>>>>> +>>>>> RetryTimeMinutes -> (integer) +>>>>> +>>>>>> The maximum time in minutes that the email processing can be retried if the Lambda invocation fails. The maximum value is 2160 minutes (36 hours). +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `0` +>>>>>> * max: `2160` +>>>>>>