AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2026-04-28 · Security-related medium

File: cli/latest/reference/opensearch/create-domain.md

Summary

Added JwksUrl parameter to JWTOptions for OpenSearch domain creation

Security assessment

Added security feature documentation for JWT authentication. The new JwksUrl parameter allows specifying a URL for JSON Web Key Sets to verify JWT signatures, enhancing authentication security. The pattern constraint prevents internal network URLs, reducing SSRF risks.

Diff

diff --git a/cli/latest/reference/opensearch/create-domain.md b/cli/latest/reference/opensearch/create-domain.md
index 69200efd0..6b6ae1ad0 100644
--- a//cli/latest/reference/opensearch/create-domain.md
+++ b//cli/latest/reference/opensearch/create-domain.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.37 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.38 Command Reference](../../index.html) »
@@ -1166,0 +1167,12 @@ JSON Syntax:
+>> 
+>> JwksUrl -> (string)
+>>
+>>> The URL endpoint that hosts the JSON Web Key Set (JWKS) containing public keys used to verify JWT signatures.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `0`
+>>>   * max: `2048`
+>>>   * pattern: `^$|^https://(?!(?:10|127|169\.254|192\.168|172\.(?:1[6-9]|2[0-9]|3[01]))\.)[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}(?::[0-9]{1,5})?(?:/[a-zA-Z0-9\-._~%!$&'()*+,;=:']*)?$`
+>>> 
+
@@ -1211 +1223 @@ Shorthand Syntax:
-    Enabled=boolean,InternalUserDatabaseEnabled=boolean,MasterUserOptions={MasterUserARN=string,MasterUserName=string,MasterUserPassword=string},SAMLOptions={Enabled=boolean,Idp={MetadataContent=string,EntityId=string},MasterUserName=string,MasterBackendRole=string,SubjectKey=string,RolesKey=string,SessionTimeoutMinutes=integer},JWTOptions={Enabled=boolean,SubjectKey=string,RolesKey=string,PublicKey=string},IAMFederationOptions={Enabled=boolean,SubjectKey=string,RolesKey=string},AnonymousAuthEnabled=boolean
+    Enabled=boolean,InternalUserDatabaseEnabled=boolean,MasterUserOptions={MasterUserARN=string,MasterUserName=string,MasterUserPassword=string},SAMLOptions={Enabled=boolean,Idp={MetadataContent=string,EntityId=string},MasterUserName=string,MasterBackendRole=string,SubjectKey=string,RolesKey=string,SessionTimeoutMinutes=integer},JWTOptions={Enabled=boolean,SubjectKey=string,RolesKey=string,JwksUrl=string,PublicKey=string},IAMFederationOptions={Enabled=boolean,SubjectKey=string,RolesKey=string},AnonymousAuthEnabled=boolean
@@ -1240,0 +1253 @@ JSON Syntax:
+        "JwksUrl": "string",
@@ -2663,0 +2677,12 @@ DomainStatus -> (structure)
+>>> 
+>>> JwksUrl -> (string)
+>>>
+>>>> The configured JWKS URL endpoint from which the cluster retrieves public keys to verify JWT requests.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `0`
+>>>>   * max: `2048`
+>>>>   * pattern: `^$|^https://(?!(?:10|127|169\.254|192\.168|172\.(?:1[6-9]|2[0-9]|3[01]))\.)[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}(?::[0-9]{1,5})?(?:/[a-zA-Z0-9\-._~%!$&'()*+,;=:']*)?$`
+>>>> 
+
@@ -3061 +3086 @@ DomainStatus -> (structure)
-  * [AWS CLI 2.34.37 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.38 Command Reference](../../index.html) »