AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-06-04 · Documentation low

File: cli/latest/reference/cognito-idp/describe-user-pool.md

Summary

Added documentation for KeyConfiguration and IssuerConfiguration structures describing encryption key management and token issuer settings

Security assessment

The changes document security features related to encryption key management (AWS_OWNED_KEY vs CUSTOMER_MANAGED_KEY) and token issuer configurations (ORIGINAL vs UPDATED), but show no evidence of addressing a specific vulnerability

Diff

diff --git a/cli/latest/reference/cognito-idp/describe-user-pool.md b/cli/latest/reference/cognito-idp/describe-user-pool.md
index c4c05b9bb..8854eef77 100644
--- a//cli/latest/reference/cognito-idp/describe-user-pool.md
+++ b//cli/latest/reference/cognito-idp/describe-user-pool.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.57 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.61 Command Reference](../../index.html) »
@@ -1755,0 +1756,62 @@ UserPool -> (structure)
+> 
+> KeyConfiguration -> (structure)
+>
+>> The key configuration for the user pool, including encryption settings.
+>> 
+>> KeyType -> (string)
+>>
+>>> The type of encryption key used for the user pool.
+>>>
+>>>> AWS_OWNED_KEY
+>>> 
+>>> A key owned by Amazon Web Services in Key Management Service.
+>>>
+>>>> CUSTOMER_MANAGED_KEY
+>>> 
+>>> A key managed by the customer in Key Management Service. You must use a multi-region key to enable multi-region replication for a user pool.
+>>> 
+>>> Possible values:
+>>> 
+>>>   * `AWS_OWNED_KEY`
+>>>   * `CUSTOMER_MANAGED_KEY`
+>>> 
+
+>> 
+>> KmsKeyArn -> (string)
+>>
+>>> The Amazon Resource Name (ARN) of the KMS key used for encryption. If not specified, Amazon Web Services managed keys are used.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `20`
+>>>   * max: `2048`
+>>>   * pattern: `arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?`
+>>> 
+
+> 
+> IssuerConfiguration -> (structure)
+>
+>> The issuer configuration for the user pool, including token issuing settings.
+>> 
+>> Type -> (string)
+>>
+>>> The type of issuer configuration. Determines the token issuing behavior for the user pool.
+>>>
+>>>> ORIGINAL
+>>> 
+>>> The original issuer configuration for user pools. The issuer URL is hosted in the user pool’s region and provides OIDC endpoints specific to that region.
+>>> 
+>>> Original issuers have the format of `https://cognito-idp.[region].amazonaws.com/[userPoolId]`
+>>>
+>>>> UPDATED
+>>> 
+>>> Recommended for all user pools, including for multi-Region replication. Updated issuers host the same JWKS content in multiple regions, resulting in improved resilience and efficiency.
+>>> 
+>>> Updated issuers have the format of `https://issuer-cognito-idp.[region].amazonaws.com/[userPoolId]` , where region is the primary Amazon Web Services Region of your user pool.
+>>> 
+>>> Possible values:
+>>> 
+>>>   * `ORIGINAL`
+>>>   * `UPDATED`
+>>> 
+
@@ -1767 +1829 @@ UserPool -> (structure)
-  * [AWS CLI 2.34.57 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.61 Command Reference](../../index.html) »