AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-19 · Documentation low

File: cli/latest/reference/appstream/update-stack.md

Summary

Added new --content-redirection parameter for bidirectional URL redirection configuration between streaming session and local client, including allowed and denied URL patterns

Security assessment

Adds documentation for a new security feature that controls URL redirection from remote desktop to local browser, with allow/deny lists to restrict redirects. This helps prevent open redirects and unauthorized navigation, but no evidence of addressing a specific security vulnerability.

Diff

diff --git a/cli/latest/reference/appstream/update-stack.md b/cli/latest/reference/appstream/update-stack.md
index 10d74b73b..82f74e095 100644
--- a//cli/latest/reference/appstream/update-stack.md
+++ b//cli/latest/reference/appstream/update-stack.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »
@@ -79,0 +80 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/appstr
+    [--content-redirection <value>]
@@ -495,0 +497,76 @@ JSON Syntax:
+`--content-redirection` (structure)
+
+> Configuration for bidirectional URL redirection between the streaming session and the local client. Use HostToClient to redirect URLs from the remote desktop to the local browser.
+> 
+> HostToClient -> (structure)
+>
+>> Configuration for redirecting URLs from the remote desktop to the local client browser.
+>> 
+>> Enabled -> (boolean) [required]
+>>
+>>> Whether URL redirection is enabled for this direction.
+>> 
+>> AllowedUrls -> (list)
+>>
+>>> List of URL patterns that are allowed to be redirected. URLs matching these patterns will be redirected unless they also match a pattern in the denied list.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `0`
+>>>   * max: `100`
+>>> 
+
+>>> 
+>>> (string)
+>>>
+>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `2048`
+>>>>   * pattern: `^(\*|https?://[^\s,;]+)$`
+>>>> 
+
+>> 
+>> DeniedUrls -> (list)
+>>
+>>> List of URL patterns that are denied from redirection. This list takes precedence over the allowed list.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `0`
+>>>   * max: `100`
+>>> 
+
+>>> 
+>>> (string)
+>>>
+>>>> A glob pattern using wildcards (* for zero or more characters, ? for exactly one character) to match URLs for redirection rules. Patterns do not include a protocol prefix; HTTPS is enforced automatically. Valid examples: _, *.example.com, github.com/myorg/_ , api?.example.com Invalid examples: <https://example.com> (no protocol), empty string
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `2048`
+>>>>   * pattern: `^(\*|https?://[^\s,;]+)$`
+>>>> 
+
+
+Shorthand Syntax:
+    
+    
+    HostToClient={Enabled=boolean,AllowedUrls=[string,string],DeniedUrls=[string,string]}
+    
+
+JSON Syntax:
+    
+    
+    {
+      "HostToClient": {
+        "Enabled": true|false,
+        "AllowedUrls": ["string", ...],
+        "DeniedUrls": ["string", ...]
+      }
+    }
+    
+
@@ -999 +1076 @@ Stack -> (structure)
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »