AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-05-19 · Documentation low

File: cli/latest/reference/ec2/allocate-ipam-pool-cidr.md

Summary

Added --tag-specifications parameter documentation and tag support for IPAM pool allocations

Security assessment

The changes add tagging capabilities to IPAM pool allocations, which is a resource management feature. While tags can be used in security policies, this is not a security-specific feature nor does it address any security vulnerability. The documentation includes standard tag constraints but no security context.

Diff

diff --git a/cli/latest/reference/ec2/allocate-ipam-pool-cidr.md b/cli/latest/reference/ec2/allocate-ipam-pool-cidr.md
index 1da7149cf..dcfcce882 100644
--- a//cli/latest/reference/ec2/allocate-ipam-pool-cidr.md
+++ b//cli/latest/reference/ec2/allocate-ipam-pool-cidr.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.48 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.49 Command Reference](../../index.html) »
@@ -82,0 +83 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/ec2-20
+    [--tag-specifications <value>]
@@ -173,0 +175,175 @@ Syntax:
+`--tag-specifications` (list)
+
+> The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value.
+> 
+> If you specify tags, the request is authorized against the allocation resource in addition to the pool resource.
+> 
+> (structure)
+>
+>> The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
+>> 
+>> ### Note
+>> 
+>> The `Valid Values` lists all the resource types that can be tagged. However, the action you’re using might not support tagging all of these resource types. If you try to tag a resource type that is unsupported for the action you’re using, you’ll get an error.
+>> 
+>> ResourceType -> (string)
+>>
+>>> The type of resource to tag on creation.
+>>> 
+>>> Possible values:
+>>> 
+>>>   * `capacity-reservation`
+>>>   * `client-vpn-endpoint`
+>>>   * `customer-gateway`
+>>>   * `carrier-gateway`
+>>>   * `coip-pool`
+>>>   * `declarative-policies-report`
+>>>   * `dedicated-host`
+>>>   * `dhcp-options`
+>>>   * `egress-only-internet-gateway`
+>>>   * `elastic-ip`
+>>>   * `elastic-gpu`
+>>>   * `export-image-task`
+>>>   * `export-instance-task`
+>>>   * `fleet`
+>>>   * `fpga-image`
+>>>   * `host-reservation`
+>>>   * `image`
+>>>   * `image-usage-report`
+>>>   * `import-image-task`
+>>>   * `import-snapshot-task`
+>>>   * `instance`
+>>>   * `instance-event-window`
+>>>   * `internet-gateway`
+>>>   * `ipam`
+>>>   * `ipam-pool`
+>>>   * `ipam-scope`
+>>>   * `ipv4pool-ec2`
+>>>   * `ipv6pool-ec2`
+>>>   * `key-pair`
+>>>   * `launch-template`
+>>>   * `local-gateway`
+>>>   * `local-gateway-route-table`
+>>>   * `local-gateway-virtual-interface`
+>>>   * `local-gateway-virtual-interface-group`
+>>>   * `local-gateway-route-table-vpc-association`
+>>>   * `local-gateway-route-table-virtual-interface-group-association`
+>>>   * `natgateway`
+>>>   * `network-acl`
+>>>   * `network-interface`
+>>>   * `network-insights-analysis`
+>>>   * `network-insights-path`
+>>>   * `network-insights-access-scope`
+>>>   * `network-insights-access-scope-analysis`
+>>>   * `outpost-lag`
+>>>   * `placement-group`
+>>>   * `prefix-list`
+>>>   * `replace-root-volume-task`
+>>>   * `reserved-instances`
+>>>   * `route-table`
+>>>   * `security-group`
+>>>   * `security-group-rule`
+>>>   * `service-link-virtual-interface`
+>>>   * `snapshot`
+>>>   * `spot-fleet-request`
+>>>   * `spot-instances-request`
+>>>   * `subnet`
+>>>   * `subnet-cidr-reservation`
+>>>   * `traffic-mirror-filter`
+>>>   * `traffic-mirror-session`
+>>>   * `traffic-mirror-target`
+>>>   * `transit-gateway`
+>>>   * `transit-gateway-attachment`
+>>>   * `transit-gateway-connect-peer`
+>>>   * `transit-gateway-multicast-domain`
+>>>   * `transit-gateway-policy-table`
+>>>   * `transit-gateway-metering-policy`
+>>>   * `transit-gateway-route-table`
+>>>   * `transit-gateway-route-table-announcement`
+>>>   * `volume`
+>>>   * `vpc`
+>>>   * `vpc-endpoint`
+>>>   * `vpc-endpoint-connection`
+>>>   * `vpc-endpoint-service`
+>>>   * `vpc-endpoint-service-permission`
+>>>   * `vpc-peering-connection`
+>>>   * `vpn-connection`
+>>>   * `vpn-gateway`
+>>>   * `vpc-flow-log`
+>>>   * `capacity-reservation-fleet`
+>>>   * `traffic-mirror-filter-rule`
+>>>   * `vpc-endpoint-connection-device-type`
+>>>   * `verified-access-instance`
+>>>   * `verified-access-group`
+>>>   * `verified-access-endpoint`
+>>>   * `verified-access-policy`
+>>>   * `verified-access-trust-provider`
+>>>   * `vpn-connection-device-type`
+>>>   * `vpc-block-public-access-exclusion`
+>>>   * `vpc-encryption-control`
+>>>   * `route-server`
+>>>   * `route-server-endpoint`
+>>>   * `route-server-peer`
+>>>   * `ipam-resource-discovery`
+>>>   * `ipam-resource-discovery-association`
+>>>   * `instance-connect-endpoint`
+>>>   * `verified-access-endpoint-target`
+>>>   * `ipam-external-resource-verification-token`
+>>>   * `capacity-block`
+>>>   * `mac-modification-task`
+>>>   * `ipam-prefix-list-resolver`
+>>>   * `ipam-policy`
+>>>   * `ipam-prefix-list-resolver-target`
+>>>   * `secondary-interface`
+>>>   * `secondary-network`
+>>>   * `secondary-subnet`
+>>>   * `capacity-manager-data-export`
+>>>   * `vpn-concentrator`
+>>>   * `ipam-pool-allocation`
+>>> 
+
+>> 
+>> Tags -> (list)
+>>
+>>> The tags to apply to the resource.
+>>> 
+>>> (structure)
+>>>
+>>>> Describes a tag.
+>>>> 
+>>>> Key -> (string)
+>>>>
+>>>>> The key of the tag.
+>>>>> 
+>>>>> Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with `aws:` .
+>>>> 
+>>>> Value -> (string)
+>>>>
+>>>>> The value of the tag.
+>>>>> 
+>>>>> Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
+
+Shorthand Syntax:
+    
+    
+    ResourceType=string,Tags=[{Key=string,Value=string},{Key=string,Value=string}] ...
+    
+
+JSON Syntax:
+    
+    
+    [
+      {
+        "ResourceType": "capacity-reservation"|"client-vpn-endpoint"|"customer-gateway"|"carrier-gateway"|"coip-pool"|"declarative-policies-report"|"dedicated-host"|"dhcp-options"|"egress-only-internet-gateway"|"elastic-ip"|"elastic-gpu"|"export-image-task"|"export-instance-task"|"fleet"|"fpga-image"|"host-reservation"|"image"|"image-usage-report"|"import-image-task"|"import-snapshot-task"|"instance"|"instance-event-window"|"internet-gateway"|"ipam"|"ipam-pool"|"ipam-scope"|"ipv4pool-ec2"|"ipv6pool-ec2"|"key-pair"|"launch-template"|"local-gateway"|"local-gateway-route-table"|"local-gateway-virtual-interface"|"local-gateway-virtual-interface-group"|"local-gateway-route-table-vpc-association"|"local-gateway-route-table-virtual-interface-group-association"|"natgateway"|"network-acl"|"network-interface"|"network-insights-analysis"|"network-insights-path"|"network-insights-access-scope"|"network-insights-access-scope-analysis"|"outpost-lag"|"placement-group"|"prefix-list"|"replace-root-volume-task"|"reserved-instances"|"route-table"|"security-group"|"security-group-rule"|"service-link-virtual-interface"|"snapshot"|"spot-fleet-request"|"spot-instances-request"|"subnet"|"subnet-cidr-reservation"|"traffic-mirror-filter"|"traffic-mirror-session"|"traffic-mirror-target"|"transit-gateway"|"transit-gateway-attachment"|"transit-gateway-connect-peer"|"transit-gateway-multicast-domain"|"transit-gateway-policy-table"|"transit-gateway-metering-policy"|"transit-gateway-route-table"|"transit-gateway-route-table-announcement"|"volume"|"vpc"|"vpc-endpoint"|"vpc-endpoint-connection"|"vpc-endpoint-service"|"vpc-endpoint-service-permission"|"vpc-peering-connection"|"vpn-connection"|"vpn-gateway"|"vpc-flow-log"|"capacity-reservation-fleet"|"traffic-mirror-filter-rule"|"vpc-endpoint-connection-device-type"|"verified-access-instance"|"verified-access-group"|"verified-access-endpoint"|"verified-access-policy"|"verified-access-trust-provider"|"vpn-connection-device-type"|"vpc-block-public-access-exclusion"|"vpc-encryption-control"|"route-server"|"route-server-endpoint"|"route-server-peer"|"ipam-resource-discovery"|"ipam-resource-discovery-association"|"instance-connect-endpoint"|"verified-access-endpoint-target"|"ipam-external-resource-verification-token"|"capacity-block"|"mac-modification-task"|"ipam-prefix-list-resolver"|"ipam-policy"|"ipam-prefix-list-resolver-target"|"secondary-interface"|"secondary-network"|"secondary-subnet"|"capacity-manager-data-export"|"vpn-concentrator"|"ipam-pool-allocation",
+        "Tags": [
+          {
+            "Key": "string",
+            "Value": "string"
+          }
+          ...
+        ]
+      }
+      ...
+    ]
+    
+
@@ -372,0 +549,20 @@ IpamPoolAllocation -> (structure)
+> 
+> Tags -> (list)
+>
+>> The tags for the IPAM pool allocation.
+>> 
+>> (structure)
+>>
+>>> Describes a tag.
+>>> 
+>>> Key -> (string)
+>>>
+>>>> The key of the tag.
+>>>> 
+>>>> Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with `aws:` .