AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-07-13 · Documentation medium

File: cli/latest/reference/synthetics/update-canary.md

Summary

Added --kms-key-arn parameter and corresponding documentation for encrypting canary environment variables with customer-managed KMS keys

Security assessment

Documents new security capability for environment variable encryption but lacks evidence of addressing a specific security vulnerability

Diff

diff --git a/cli/latest/reference/synthetics/update-canary.md b/cli/latest/reference/synthetics/update-canary.md
index 1c9e80578..2ab109efd 100644
--- a//cli/latest/reference/synthetics/update-canary.md
+++ b//cli/latest/reference/synthetics/update-canary.md
@@ -15 +15 @@
-  * [AWS CLI 2.35.19 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.21 Command Reference](../../index.html) »
@@ -98,0 +99 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/synthe
+    [--kms-key-arn <value>]
@@ -935,0 +937,12 @@ JSON Syntax:
+>> 
+>> KmsKeyArn -> (string)
+>>
+>>> The Amazon Resource Name (ARN) of the customer-managed AWS Key Management Service (AWS KMS) key used to encrypt the canary replica’s AWS Lambda function environment variables at rest. If you don’t specify a value, the service uses an AWS-managed key.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>>   * pattern: `arn:(aws[a-zA-Z-]*)?:kms:[a-z]{2,4}(-[a-z]{2,4})?-[a-z]+-\d{1}:\d{12}:key/[\w\-\/]+`
+>>> 
+
@@ -940 +953 @@ Shorthand Syntax:
-    Location=string,VpcConfig={SubnetIds=[string,string],SecurityGroupIds=[string,string],Ipv6AllowedForDualStack=boolean} ...
+    Location=string,VpcConfig={SubnetIds=[string,string],SecurityGroupIds=[string,string],Ipv6AllowedForDualStack=boolean},KmsKeyArn=string ...
@@ -953 +966,2 @@ JSON Syntax:
-        }
+        },
+        "KmsKeyArn": "string"
@@ -984,0 +999,12 @@ Syntax:
+`--kms-key-arn` (string)
+
+> The Amazon Resource Name (ARN) of the customer-managed AWS Key Management Service (AWS KMS) key used to encrypt the canary’s AWS Lambda function environment variables at rest. If you don’t specify a value, the service uses an AWS-managed key. If you omit this parameter, the service retains the existing value. To revert to the AWS-managed key, set this parameter to an empty string.
+> 
+> Constraints:
+> 
+>   * min: `1`
+>   * max: `2048`
+>   * pattern: `arn:(aws[a-zA-Z-]*)?:kms:[a-z]{2,4}(-[a-z]{2,4})?-[a-z]+-\d{1}:\d{12}:key/[\w\-\/]+`
+> 
+
+
@@ -1132 +1158 @@ None
-  * [AWS CLI 2.35.19 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.21 Command Reference](../../index.html) »