AWS cli medium security documentation change
Summary
Added JwksUrl parameter to JWTOptions for OpenSearch domain creation
Security assessment
Added security feature documentation for JWT authentication. The new JwksUrl parameter allows specifying a URL for JSON Web Key Sets to verify JWT signatures, enhancing authentication security. The pattern constraint prevents internal network URLs, reducing SSRF risks.
Diff
diff --git a/cli/latest/reference/opensearch/create-domain.md b/cli/latest/reference/opensearch/create-domain.md index 69200efd0..6b6ae1ad0 100644 --- a//cli/latest/reference/opensearch/create-domain.md +++ b//cli/latest/reference/opensearch/create-domain.md @@ -15 +15 @@ - * [AWS CLI 2.34.37 Command Reference](../../index.html) » + * [AWS CLI 2.34.38 Command Reference](../../index.html) » @@ -1166,0 +1167,12 @@ JSON Syntax: +>> +>> JwksUrl -> (string) +>> +>>> The URL endpoint that hosts the JSON Web Key Set (JWKS) containing public keys used to verify JWT signatures. +>>> +>>> Constraints: +>>> +>>> * min: `0` +>>> * max: `2048` +>>> * pattern: `^$|^https://(?!(?:10|127|169\.254|192\.168|172\.(?:1[6-9]|2[0-9]|3[01]))\.)[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}(?::[0-9]{1,5})?(?:/[a-zA-Z0-9\-._~%!$&'()*+,;=:']*)?$` +>>> + @@ -1211 +1223 @@ Shorthand Syntax: - Enabled=boolean,InternalUserDatabaseEnabled=boolean,MasterUserOptions={MasterUserARN=string,MasterUserName=string,MasterUserPassword=string},SAMLOptions={Enabled=boolean,Idp={MetadataContent=string,EntityId=string},MasterUserName=string,MasterBackendRole=string,SubjectKey=string,RolesKey=string,SessionTimeoutMinutes=integer},JWTOptions={Enabled=boolean,SubjectKey=string,RolesKey=string,PublicKey=string},IAMFederationOptions={Enabled=boolean,SubjectKey=string,RolesKey=string},AnonymousAuthEnabled=boolean + Enabled=boolean,InternalUserDatabaseEnabled=boolean,MasterUserOptions={MasterUserARN=string,MasterUserName=string,MasterUserPassword=string},SAMLOptions={Enabled=boolean,Idp={MetadataContent=string,EntityId=string},MasterUserName=string,MasterBackendRole=string,SubjectKey=string,RolesKey=string,SessionTimeoutMinutes=integer},JWTOptions={Enabled=boolean,SubjectKey=string,RolesKey=string,JwksUrl=string,PublicKey=string},IAMFederationOptions={Enabled=boolean,SubjectKey=string,RolesKey=string},AnonymousAuthEnabled=boolean @@ -1240,0 +1253 @@ JSON Syntax: + "JwksUrl": "string", @@ -2663,0 +2677,12 @@ DomainStatus -> (structure) +>>> +>>> JwksUrl -> (string) +>>> +>>>> The configured JWKS URL endpoint from which the cluster retrieves public keys to verify JWT requests. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `0` +>>>> * max: `2048` +>>>> * pattern: `^$|^https://(?!(?:10|127|169\.254|192\.168|172\.(?:1[6-9]|2[0-9]|3[01]))\.)[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}(?::[0-9]{1,5})?(?:/[a-zA-Z0-9\-._~%!$&'()*+,;=:']*)?$` +>>>> + @@ -3061 +3086 @@ DomainStatus -> (structure) - * [AWS CLI 2.34.37 Command Reference](../../index.html) » + * [AWS CLI 2.34.38 Command Reference](../../index.html) »