AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-07-13 · Documentation medium

File: cli/latest/reference/synthetics/create-canary.md

Summary

Added --kms-key-arn parameter for encrypting Lambda environment variables

Security assessment

Documents new security feature allowing customer-managed KMS keys for encrypting sensitive environment variables at rest. Enhances data protection capabilities but doesn't address a specific vulnerability.

Diff

diff --git a/cli/latest/reference/synthetics/create-canary.md b/cli/latest/reference/synthetics/create-canary.md
index 4f8bdb44c..93f00d166 100644
--- a//cli/latest/reference/synthetics/create-canary.md
+++ b//cli/latest/reference/synthetics/create-canary.md
@@ -15 +15 @@
-  * [AWS CLI 2.35.19 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.21 Command Reference](../../index.html) »
@@ -89,0 +90 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/synthe
+    [--kms-key-arn <value>]
@@ -703,0 +705,12 @@ JSON Syntax:
+>> 
+>> KmsKeyArn -> (string)
+>>
+>>> The Amazon Resource Name (ARN) of the customer-managed AWS Key Management Service (AWS KMS) key used to encrypt the canary replica’s AWS Lambda function environment variables at rest. If you don’t specify a value, the service uses an AWS-managed key.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>>   * pattern: `arn:(aws[a-zA-Z-]*)?:kms:[a-z]{2,4}(-[a-z]{2,4})?-[a-z]+-\d{1}:\d{12}:key/[\w\-\/]+`
+>>> 
+
@@ -708 +721 @@ Shorthand Syntax:
-    Location=string,VpcConfig={SubnetIds=[string,string],SecurityGroupIds=[string,string],Ipv6AllowedForDualStack=boolean} ...
+    Location=string,VpcConfig={SubnetIds=[string,string],SecurityGroupIds=[string,string],Ipv6AllowedForDualStack=boolean},KmsKeyArn=string ...
@@ -721 +734,2 @@ JSON Syntax:
-        }
+        },
+        "KmsKeyArn": "string"
@@ -822,0 +837,12 @@ JSON Syntax:
+`--kms-key-arn` (string)
+
+> The Amazon Resource Name (ARN) of the customer-managed AWS Key Management Service (AWS KMS) key used to encrypt the canary’s AWS Lambda function environment variables at rest. If you don’t specify a value, the service uses an AWS-managed key.
+> 
+> Constraints:
+> 
+>   * min: `1`
+>   * max: `2048`
+>   * pattern: `arn:(aws[a-zA-Z-]*)?:kms:[a-z]{2,4}(-[a-z]{2,4})?-[a-z]+-\d{1}:\d{12}:key/[\w\-\/]+`
+> 
+
+
@@ -1833,0 +1860,12 @@ Canary -> (structure)
+> 
+> KmsKeyArn -> (string)
+>
+>> The Amazon Resource Name (ARN) of the customer-managed AWS Key Management Service (AWS KMS) key used to encrypt the canary’s AWS Lambda function environment variables at rest. If you don’t specify a value, the service uses an AWS-managed key.
+>> 
+>> Constraints:
+>> 
+>>   * min: `1`
+>>   * max: `2048`
+>>   * pattern: `arn:(aws[a-zA-Z-]*)?:kms:[a-z]{2,4}(-[a-z]{2,4})?-[a-z]+-\d{1}:\d{12}:key/[\w\-\/]+`
+>> 
+
@@ -1870 +1908 @@ Canary -> (structure)
-  * [AWS CLI 2.35.19 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.21 Command Reference](../../index.html) »