AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-05-01 · Documentation medium

File: cli/latest/reference/payment-cryptography/import-key.md

Summary

Added support for cross-account key imports via resource-based policies, introduced requester-comment field with security warning, and added Multi-Party Approval (MPA) status documentation.

Security assessment

The change adds documentation for resource-based policies enabling cross-account access (security feature), includes explicit warnings about avoiding sensitive data in requester-comment due to CloudTrail exposure (security best practice), and documents MPA approval workflow (security control). No evidence of addressing a specific vulnerability.

Diff

diff --git a/cli/latest/reference/payment-cryptography/import-key.md b/cli/latest/reference/payment-cryptography/import-key.md
index a6964ed93..060ca6db6 100644
--- a//cli/latest/reference/payment-cryptography/import-key.md
+++ b//cli/latest/reference/payment-cryptography/import-key.md
@@ -14,2 +14,2 @@
-  * [previous](get-public-key-certificate.html "get-public-key-certificate") |
-  * [AWS CLI 2.34.38 Command Reference](../../index.html) »
+  * [previous](get-resource-policy.html "get-resource-policy") |
+  * [AWS CLI 2.34.40 Command Reference](../../index.html) »
@@ -22 +22 @@
-  * [← get-public-key-certificate](get-public-key-certificate.html "previous chapter \(use the left arrow\)") /
+  * [← get-resource-policy](get-resource-policy.html "previous chapter \(use the left arrow\)") /
@@ -142 +142 @@ To initiate a TR-31 key import using ECDH, both sides must create an ECC key pai
-> **Cross-account use:** This operation can’t be used across different Amazon Web Services accounts.
+> **Cross-account use:** This operation supports cross-account use when the key has a resource-based policy that grants access. For more information, see [Resource-based policies](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/security_iam_resource-based-policies.html) .
@@ -161,0 +162 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/paymen
+    [--requester-comment <value>]
@@ -1203,0 +1205,15 @@ Syntax:
+`--requester-comment` (string)
+
+> The comment from the requester explaining the reason for the import.
+> 
+> ### Warning
+> 
+> Don’t include personal, confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
+> 
+> Constraints:
+> 
+>   * min: `0`
+>   * max: `200`
+> 
+
+
@@ -1699,0 +1716,44 @@ Key -> (structure)
+> 
+> MpaStatus -> (structure)
+>
+>> The Multi-Party Approval (MPA) status for the key, if applicable.
+>> 
+>> MpaSessionArn -> (string) [required]
+>>
+>>> The ARN of the MPA session.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `20`
+>>>   * max: `2048`
+>>>   * pattern: `arn:aws(-[^:]+)?:mpa:[a-z0-9-]{1,20}:[0-9]{12}:session/[a-zA-Z0-9._-]+/[a-zA-Z0-9_-]+`
+>>> 
+
+>> 
+>> Status -> (string) [required]
+>>
+>>> The current status of the MPA session.
+>>> 
+>>> Possible values:
+>>> 
+>>>   * `PENDING`
+>>>   * `APPROVED`
+>>>   * `FAILED`
+>>>   * `CANCELLED`
+>>> 
+
+>> 
+>> InitiationDate -> (timestamp) [required]
+>>
+>>> The date and time when the MPA session was initiated.
+>> 
+>> StatusMessage -> (string)
+>>
+>>> The message providing additional information about the MPA session status.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `0`
+>>>   * max: `1000`
+>>> 
+
@@ -1701 +1761 @@ Key -> (structure)
-  * [← get-public-key-certificate](get-public-key-certificate.html "previous chapter \(use the left arrow\)") /
+  * [← get-resource-policy](get-resource-policy.html "previous chapter \(use the left arrow\)") /
@@ -1710,2 +1770,2 @@ Key -> (structure)
-  * [previous](get-public-key-certificate.html "get-public-key-certificate") |
-  * [AWS CLI 2.34.38 Command Reference](../../index.html) »
+  * [previous](get-resource-policy.html "get-resource-policy") |
+  * [AWS CLI 2.34.40 Command Reference](../../index.html) »