AWS cli documentation change
Summary
Added documentation for KeyConfiguration and IssuerConfiguration structures describing encryption key management and token issuer settings
Security assessment
The changes document security features related to encryption key management (AWS_OWNED_KEY vs CUSTOMER_MANAGED_KEY) and token issuer configurations (ORIGINAL vs UPDATED), but show no evidence of addressing a specific vulnerability
Diff
diff --git a/cli/latest/reference/cognito-idp/describe-user-pool.md b/cli/latest/reference/cognito-idp/describe-user-pool.md index c4c05b9bb..8854eef77 100644 --- a//cli/latest/reference/cognito-idp/describe-user-pool.md +++ b//cli/latest/reference/cognito-idp/describe-user-pool.md @@ -15 +15 @@ - * [AWS CLI 2.34.57 Command Reference](../../index.html) » + * [AWS CLI 2.34.61 Command Reference](../../index.html) » @@ -1755,0 +1756,62 @@ UserPool -> (structure) +> +> KeyConfiguration -> (structure) +> +>> The key configuration for the user pool, including encryption settings. +>> +>> KeyType -> (string) +>> +>>> The type of encryption key used for the user pool. +>>> +>>>> AWS_OWNED_KEY +>>> +>>> A key owned by Amazon Web Services in Key Management Service. +>>> +>>>> CUSTOMER_MANAGED_KEY +>>> +>>> A key managed by the customer in Key Management Service. You must use a multi-region key to enable multi-region replication for a user pool. +>>> +>>> Possible values: +>>> +>>> * `AWS_OWNED_KEY` +>>> * `CUSTOMER_MANAGED_KEY` +>>> + +>> +>> KmsKeyArn -> (string) +>> +>>> The Amazon Resource Name (ARN) of the KMS key used for encryption. If not specified, Amazon Web Services managed keys are used. +>>> +>>> Constraints: +>>> +>>> * min: `20` +>>> * max: `2048` +>>> * pattern: `arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?` +>>> + +> +> IssuerConfiguration -> (structure) +> +>> The issuer configuration for the user pool, including token issuing settings. +>> +>> Type -> (string) +>> +>>> The type of issuer configuration. Determines the token issuing behavior for the user pool. +>>> +>>>> ORIGINAL +>>> +>>> The original issuer configuration for user pools. The issuer URL is hosted in the user pool’s region and provides OIDC endpoints specific to that region. +>>> +>>> Original issuers have the format of `https://cognito-idp.[region].amazonaws.com/[userPoolId]` +>>> +>>>> UPDATED +>>> +>>> Recommended for all user pools, including for multi-Region replication. Updated issuers host the same JWKS content in multiple regions, resulting in improved resilience and efficiency. +>>> +>>> Updated issuers have the format of `https://issuer-cognito-idp.[region].amazonaws.com/[userPoolId]` , where region is the primary Amazon Web Services Region of your user pool. +>>> +>>> Possible values: +>>> +>>> * `ORIGINAL` +>>> * `UPDATED` +>>> + @@ -1767 +1829 @@ UserPool -> (structure) - * [AWS CLI 2.34.57 Command Reference](../../index.html) » + * [AWS CLI 2.34.61 Command Reference](../../index.html) »