AWS cli documentation change
Summary
Added support for cross-account key imports via resource-based policies, introduced requester-comment field with security warning, and added Multi-Party Approval (MPA) status documentation.
Security assessment
The change adds documentation for resource-based policies enabling cross-account access (security feature), includes explicit warnings about avoiding sensitive data in requester-comment due to CloudTrail exposure (security best practice), and documents MPA approval workflow (security control). No evidence of addressing a specific vulnerability.
Diff
diff --git a/cli/latest/reference/payment-cryptography/import-key.md b/cli/latest/reference/payment-cryptography/import-key.md index a6964ed93..060ca6db6 100644 --- a//cli/latest/reference/payment-cryptography/import-key.md +++ b//cli/latest/reference/payment-cryptography/import-key.md @@ -14,2 +14,2 @@ - * [previous](get-public-key-certificate.html "get-public-key-certificate") | - * [AWS CLI 2.34.38 Command Reference](../../index.html) » + * [previous](get-resource-policy.html "get-resource-policy") | + * [AWS CLI 2.34.40 Command Reference](../../index.html) » @@ -22 +22 @@ - * [← get-public-key-certificate](get-public-key-certificate.html "previous chapter \(use the left arrow\)") / + * [← get-resource-policy](get-resource-policy.html "previous chapter \(use the left arrow\)") / @@ -142 +142 @@ To initiate a TR-31 key import using ECDH, both sides must create an ECC key pai -> **Cross-account use:** This operation can’t be used across different Amazon Web Services accounts. +> **Cross-account use:** This operation supports cross-account use when the key has a resource-based policy that grants access. For more information, see [Resource-based policies](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/security_iam_resource-based-policies.html) . @@ -161,0 +162 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/paymen + [--requester-comment <value>] @@ -1203,0 +1205,15 @@ Syntax: +`--requester-comment` (string) + +> The comment from the requester explaining the reason for the import. +> +> ### Warning +> +> Don’t include personal, confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output. +> +> Constraints: +> +> * min: `0` +> * max: `200` +> + + @@ -1699,0 +1716,44 @@ Key -> (structure) +> +> MpaStatus -> (structure) +> +>> The Multi-Party Approval (MPA) status for the key, if applicable. +>> +>> MpaSessionArn -> (string) [required] +>> +>>> The ARN of the MPA session. +>>> +>>> Constraints: +>>> +>>> * min: `20` +>>> * max: `2048` +>>> * pattern: `arn:aws(-[^:]+)?:mpa:[a-z0-9-]{1,20}:[0-9]{12}:session/[a-zA-Z0-9._-]+/[a-zA-Z0-9_-]+` +>>> + +>> +>> Status -> (string) [required] +>> +>>> The current status of the MPA session. +>>> +>>> Possible values: +>>> +>>> * `PENDING` +>>> * `APPROVED` +>>> * `FAILED` +>>> * `CANCELLED` +>>> + +>> +>> InitiationDate -> (timestamp) [required] +>> +>>> The date and time when the MPA session was initiated. +>> +>> StatusMessage -> (string) +>> +>>> The message providing additional information about the MPA session status. +>>> +>>> Constraints: +>>> +>>> * min: `0` +>>> * max: `1000` +>>> + @@ -1701 +1761 @@ Key -> (structure) - * [← get-public-key-certificate](get-public-key-certificate.html "previous chapter \(use the left arrow\)") / + * [← get-resource-policy](get-resource-policy.html "previous chapter \(use the left arrow\)") / @@ -1710,2 +1770,2 @@ Key -> (structure) - * [previous](get-public-key-certificate.html "get-public-key-certificate") | - * [AWS CLI 2.34.38 Command Reference](../../index.html) » + * [previous](get-resource-policy.html "get-resource-policy") | + * [AWS CLI 2.34.40 Command Reference](../../index.html) »