AWS AmazonElastiCache documentation change
Summary
Clarified IAM authentication token expiration behavior and limitations for re-authentication in MULTI/EXEC blocks
Security assessment
The changes provide additional implementation details about token expiration and command restrictions, but don't address any security vulnerability or weakness. They improve documentation clarity around existing security features without introducing new security implications.
Diff
diff --git a/AmazonElastiCache/latest/dg/auth-iam.md b/AmazonElastiCache/latest/dg/auth-iam.md index 3752d4a70..29522fea4 100644 --- a//AmazonElastiCache/latest/dg/auth-iam.md +++ b//AmazonElastiCache/latest/dg/auth-iam.md @@ -42 +42 @@ When using IAM authentication, the following limitations apply: - * The IAM authentication token is valid for 15 minutes. For long-lived connections, we recommend using a Valkey or Redis OSS client that supports a credentials provider interface. + * The IAM authentication token is valid for 15 minutes. If the connection is re-authenticated with an expired token, the authentication request will be rejected. For long-lived connections, we recommend using a Valkey or Redis OSS client that supports a credentials provider interface to automatically generate fresh tokens before expiry. @@ -46 +46 @@ When using IAM authentication, the following limitations apply: - * IAM authentication is not supported inside `MULTI`/`EXEC` blocks. + * IAM re-authentication (`AUTH` or `HELLO` commands) is not supported inside `MULTI`/`EXEC` or Lua script blocks. However, you can run regular data commands inside `MULTI`/`EXEC` blocks on an IAM-authenticated connection.