AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-10-28 · Documentation medium

File: cli/latest/reference/securityhub/create-automation-rule-v2.md

Summary

Updated AWS CLI version reference from 2.31.21 to 2.31.23 and expanded documentation for automation rule filters including encryption details, malware attributes, vulnerability tracking, and network evidence fields

Security assessment

The changes add numerous security-related filter fields including encryption details (algorithm/key_uid), malware attributes (name/severity), CVE tracking (epss.score/uid), and network evidence fields (ports/AS numbers). These enhancements improve security posture monitoring capabilities but do not indicate remediation of a specific vulnerability.

Diff

diff --git a/cli/latest/reference/securityhub/create-automation-rule-v2.md b/cli/latest/reference/securityhub/create-automation-rule-v2.md
index 099123645..e5446e1c2 100644
--- a//cli/latest/reference/securityhub/create-automation-rule-v2.md
+++ b//cli/latest/reference/securityhub/create-automation-rule-v2.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.21 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.23 Command Reference](../../index.html) »
@@ -59 +59 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c
-Creates a V2 automation rule. This API is in private preview and subject to change.
+Creates a V2 automation rule. This API is in public preview and subject to change.
@@ -206,0 +207,37 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+>>>>>>>   * `databucket.encryption_details.algorithm`
+>>>>>>>   * `databucket.encryption_details.key_uid`
+>>>>>>>   * `databucket.file.data_classifications.classifier_details.type`
+>>>>>>>   * `evidences.actor.user.account.uid`
+>>>>>>>   * `evidences.api.operation`
+>>>>>>>   * `evidences.api.response.error_message`
+>>>>>>>   * `evidences.api.service.name`
+>>>>>>>   * `evidences.connection_info.direction`
+>>>>>>>   * `evidences.connection_info.protocol_name`
+>>>>>>>   * `evidences.dst_endpoint.autonomous_system.name`
+>>>>>>>   * `evidences.dst_endpoint.location.city`
+>>>>>>>   * `evidences.dst_endpoint.location.country`
+>>>>>>>   * `evidences.src_endpoint.autonomous_system.name`
+>>>>>>>   * `evidences.src_endpoint.hostname`
+>>>>>>>   * `evidences.src_endpoint.location.city`
+>>>>>>>   * `evidences.src_endpoint.location.country`
+>>>>>>>   * `finding_info.analytic.name`
+>>>>>>>   * `malware.name`
+>>>>>>>   * `malware_scan_info.uid`
+>>>>>>>   * `malware.severity`
+>>>>>>>   * `resources.cloud_function.layers.uid_alt`
+>>>>>>>   * `resources.cloud_function.runtime`
+>>>>>>>   * `resources.cloud_function.user.uid`
+>>>>>>>   * `resources.device.encryption_details.key_uid`
+>>>>>>>   * `resources.device.image.uid`
+>>>>>>>   * `resources.image.architecture`
+>>>>>>>   * `resources.image.registry_uid`
+>>>>>>>   * `resources.image.repository_name`
+>>>>>>>   * `resources.image.uid`
+>>>>>>>   * `resources.subnet_info.uid`
+>>>>>>>   * `resources.vpc_uid`
+>>>>>>>   * `vulnerabilities.affected_code.file.path`
+>>>>>>>   * `vulnerabilities.affected_packages.name`
+>>>>>>>   * `vulnerabilities.cve.epss.score`
+>>>>>>>   * `vulnerabilities.cve.uid`
+>>>>>>>   * `vulnerabilities.related_vulnerabilities`
+>>>>>>>   * `cloud.account.name`
@@ -292,0 +330,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+>>>>>>>   * `resources.image.created_time_dt`
+>>>>>>>   * `resources.image.last_used_time_dt`
+>>>>>>>   * `resources.modified_time_dt`
@@ -389,0 +430,6 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+>>>>>>>   * `evidences.api.response.code`
+>>>>>>>   * `evidences.dst_endpoint.autonomous_system.number`
+>>>>>>>   * `evidences.dst_endpoint.port`
+>>>>>>>   * `evidences.src_endpoint.autonomous_system.number`
+>>>>>>>   * `evidences.src_endpoint.port`
+>>>>>>>   * `resources.image.in_use_count`
@@ -431,0 +478,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+>>>>>>>   * `compliance.control_parameters`
+>>>>>>>   * `databucket.tags`
+>>>>>>>   * `finding_info.tags`
@@ -494,0 +544,469 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+>>>> 
+>>>> IpFilters -> (list)
+>>>>
+>>>>> A list of IP address filters that allowing you to filter findings based on IP address properties.
+>>>>> 
+>>>>> (structure)
+>>>>>
+>>>>>> The structure for filtering findings based on IP address attributes.
+>>>>>> 
+>>>>>> FieldName -> (string)
+>>>>>>
+>>>>>>> The name of the IP address field to filter on.
+>>>>>>> 
+>>>>>>> Possible values:
+>>>>>>> 
+>>>>>>>   * `evidences.dst_endpoint.ip`
+>>>>>>>   * `evidences.src_endpoint.ip`
+>>>>>>> 
+
+>>>>>> 
+>>>>>> Filter -> (structure)
+>>>>>>
+>>>>>>> The IP filter for querying findings.
+>>>>>>> 
+>>>>>>> Cidr -> (string)
+>>>>>>>
+>>>>>>>> A finding’s CIDR value.
+>>>>>>>> 
+>>>>>>>> Constraints:
+>>>>>>>> 
+>>>>>>>>   * pattern: `.*\S.*`
+>>>>>>>> 
+
+>>>> 
+>>>> NestedCompositeFilters -> (list)
+>>>>
+>>>>> Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a `CompositeFilters` array with a `CompositeOperator` (`AND` /`OR` ). The second layer is a `CompositeFilter` object that contains direct filters and `NestedCompositeFilters` . The third layer is `NestedCompositeFilters` , which contains additional filter conditions.
+>>>>> 
+>>>>> (structure)
+>>>>>
+>>>>>> Enables the creation of filtering criteria for security findings.
+>>>>>> 
+>>>>>> StringFilters -> (list)
+>>>>>>
+>>>>>>> Enables filtering based on string field values.
+>>>>>>> 
+>>>>>>> (structure)
+>>>>>>>
+>>>>>>>> Enables filtering of security findings based on string field values in OCSF.
+>>>>>>>> 
+>>>>>>>> FieldName -> (string)
+>>>>>>>>
+>>>>>>>>> The name of the field.
+>>>>>>>>> 
+>>>>>>>>> Possible values:
+>>>>>>>>> 
+>>>>>>>>>   * `metadata.uid`
+>>>>>>>>>   * `activity_name`
+>>>>>>>>>   * `cloud.account.uid`
+>>>>>>>>>   * `cloud.provider`
+>>>>>>>>>   * `cloud.region`
+>>>>>>>>>   * `compliance.assessments.category`
+>>>>>>>>>   * `compliance.assessments.name`
+>>>>>>>>>   * `compliance.control`
+>>>>>>>>>   * `compliance.status`
+>>>>>>>>>   * `compliance.standards`
+>>>>>>>>>   * `finding_info.desc`
+>>>>>>>>>   * `finding_info.src_url`
+>>>>>>>>>   * `finding_info.title`
+>>>>>>>>>   * `finding_info.types`
+>>>>>>>>>   * `finding_info.uid`
+>>>>>>>>>   * `finding_info.related_events.uid`
+>>>>>>>>>   * `finding_info.related_events.product.uid`
+>>>>>>>>>   * `finding_info.related_events.title`
+>>>>>>>>>   * `metadata.product.name`
+>>>>>>>>>   * `metadata.product.uid`
+>>>>>>>>>   * `metadata.product.vendor_name`
+>>>>>>>>>   * `remediation.desc`
+>>>>>>>>>   * `remediation.references`
+>>>>>>>>>   * `resources.cloud_partition`
+>>>>>>>>>   * `resources.region`
+>>>>>>>>>   * `resources.type`
+>>>>>>>>>   * `resources.uid`
+>>>>>>>>>   * `severity`
+>>>>>>>>>   * `status`
+>>>>>>>>>   * `comment`
+>>>>>>>>>   * `vulnerabilities.fix_coverage`
+>>>>>>>>>   * `class_name`
+>>>>>>>>>   * `databucket.encryption_details.algorithm`
+>>>>>>>>>   * `databucket.encryption_details.key_uid`
+>>>>>>>>>   * `databucket.file.data_classifications.classifier_details.type`
+>>>>>>>>>   * `evidences.actor.user.account.uid`
+>>>>>>>>>   * `evidences.api.operation`
+>>>>>>>>>   * `evidences.api.response.error_message`
+>>>>>>>>>   * `evidences.api.service.name`
+>>>>>>>>>   * `evidences.connection_info.direction`
+>>>>>>>>>   * `evidences.connection_info.protocol_name`
+>>>>>>>>>   * `evidences.dst_endpoint.autonomous_system.name`
+>>>>>>>>>   * `evidences.dst_endpoint.location.city`
+>>>>>>>>>   * `evidences.dst_endpoint.location.country`
+>>>>>>>>>   * `evidences.src_endpoint.autonomous_system.name`
+>>>>>>>>>   * `evidences.src_endpoint.hostname`
+>>>>>>>>>   * `evidences.src_endpoint.location.city`
+>>>>>>>>>   * `evidences.src_endpoint.location.country`
+>>>>>>>>>   * `finding_info.analytic.name`
+>>>>>>>>>   * `malware.name`
+>>>>>>>>>   * `malware_scan_info.uid`
+>>>>>>>>>   * `malware.severity`
+>>>>>>>>>   * `resources.cloud_function.layers.uid_alt`
+>>>>>>>>>   * `resources.cloud_function.runtime`
+>>>>>>>>>   * `resources.cloud_function.user.uid`
+>>>>>>>>>   * `resources.device.encryption_details.key_uid`
+>>>>>>>>>   * `resources.device.image.uid`
+>>>>>>>>>   * `resources.image.architecture`
+>>>>>>>>>   * `resources.image.registry_uid`
+>>>>>>>>>   * `resources.image.repository_name`
+>>>>>>>>>   * `resources.image.uid`
+>>>>>>>>>   * `resources.subnet_info.uid`
+>>>>>>>>>   * `resources.vpc_uid`
+>>>>>>>>>   * `vulnerabilities.affected_code.file.path`
+>>>>>>>>>   * `vulnerabilities.affected_packages.name`
+>>>>>>>>>   * `vulnerabilities.cve.epss.score`
+>>>>>>>>>   * `vulnerabilities.cve.uid`
+>>>>>>>>>   * `vulnerabilities.related_vulnerabilities`
+>>>>>>>>>   * `cloud.account.name`
+>>>>>>>>> 
+
+>>>>>>>> 
+>>>>>>>> Filter -> (structure)
+>>>>>>>>
+>>>>>>>>> A string filter for filtering Security Hub findings.
+>>>>>>>>> 
+>>>>>>>>> Value -> (string)
+>>>>>>>>>
+>>>>>>>>>> The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there’s no match.
+>>>>>>>>>>