diff --git a/CHANGELOG.md b/CHANGELOG.md index 73a7138..a3014b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## NOT RELEASED +### Changed + +- AWS enhancement: Documentation updates. + ## 2.3.0 ### Added diff --git a/src/Input/UpdateSecretRequest.php b/src/Input/UpdateSecretRequest.php index 8e9c832..ad35dcb 100644 --- a/src/Input/UpdateSecretRequest.php +++ b/src/Input/UpdateSecretRequest.php @@ -54,7 +54,7 @@ final class UpdateSecretRequest extends Input /** * The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt new secret versions as well as any * existing versions with the staging labels `AWSCURRENT`, `AWSPENDING`, or `AWSPREVIOUS`. If you don't have - * `kms:Encrypt` permission to the new key, Secrets Manager does not re-ecrypt existing secret versions with the new + * `kms:Encrypt` permission to the new key, Secrets Manager does not re-encrypt existing secret versions with the new * key. For more information about versions and staging labels, see Concepts: Version [^1]. * * A key alias is always prefixed by `alias/`, for example `alias/aws/secretsmanager`. For more information, see About diff --git a/src/SecretsManagerClient.php b/src/SecretsManagerClient.php index 202bdd1..0ccb824 100644 --- a/src/SecretsManagerClient.php +++ b/src/SecretsManagerClient.php @@ -77,12 +77,17 @@ class SecretsManagerClient extends AbstractApi * To encrypt the secret with a KMS key other than `aws/secretsmanager`, you need `kms:GenerateDataKey` and * `kms:Decrypt` permission to the key. * + * ! When you enter commands in a command shell, there is a risk of the command history being accessed or utilities + * ! having access to your command parameters. This is a concern if the command includes the value of a secret. Learn + * ! how to Mitigate the risks of using command-line tools to store Secrets Manager secrets [^7]. + * * [^1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/service-linked-secrets.html * [^2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html * [^3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html * [^4]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieve-ct-entries.html * [^5]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#reference_iam-permissions_actions * [^6]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html + * [^7]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/security_cli-exposure-risks.html * * @see https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-secretsmanager-2017-10-17.html#createsecret @@ -338,9 +343,14 @@ public function listSecrets($input = []): ListSecretsResponse * **Required permissions: **`secretsmanager:PutSecretValue`. For more information, see IAM policy actions for Secrets * Manager [^2] and Authentication and access control in Secrets Manager [^3]. * + * ! When you enter commands in a command shell, there is a risk of the command history being accessed or utilities + * ! having access to your command parameters. This is a concern if the command includes the value of a secret. Learn + * ! how to Mitigate the risks of using command-line tools to store Secrets Manager secrets [^4]. + * * [^1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieve-ct-entries.html * [^2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#reference_iam-permissions_actions * [^3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html + * [^4]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/security_cli-exposure-risks.html * * @see https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutSecretValue.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-secretsmanager-2017-10-17.html#putsecretvalue @@ -411,14 +421,19 @@ public function putSecretValue($input): PutSecretValueResponse * **Required permissions: **`secretsmanager:UpdateSecret`. For more information, see IAM policy actions for Secrets * Manager [^3] and Authentication and access control in Secrets Manager [^4]. If you use a customer managed key, you * must also have `kms:GenerateDataKey`, `kms:Encrypt`, and `kms:Decrypt` permissions on the key. If you change the KMS - * key and you don't have `kms:Encrypt` permission to the new key, Secrets Manager does not re-ecrypt existing secret + * key and you don't have `kms:Encrypt` permission to the new key, Secrets Manager does not re-encrypt existing secret * versions with the new key. For more information, see Secret encryption and decryption [^5]. * + * ! When you enter commands in a command shell, there is a risk of the command history being accessed or utilities + * ! having access to your command parameters. This is a concern if the command includes the value of a secret. Learn + * ! how to Mitigate the risks of using command-line tools to store Secrets Manager secrets [^6]. + * * [^1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/service-linked-secrets.html * [^2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieve-ct-entries.html * [^3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#reference_iam-permissions_actions * [^4]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html * [^5]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html + * [^6]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/security_cli-exposure-risks.html * * @see https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UpdateSecret.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-secretsmanager-2017-10-17.html#updatesecret