AWS cli documentation change
Summary
Updated API documentation for Security Hub's get-resources-v2 command including field name standardization, API preview status change from private to public, and added nested composite filtering capabilities
Security assessment
The changes primarily enhance filtering capabilities (String/Date/Number/Map filters) and document security-related resource attributes like FindingsSummary.Severities. While these improvements aid security analysis workflows, there's no evidence of addressing a specific vulnerability or security incident. The updates focus on feature enhancement rather than patching security issues.
Diff
diff --git a/cli/latest/reference/securityhub/get-resources-v2.md b/cli/latest/reference/securityhub/get-resources-v2.md index 6eb96af3c..01b5d4dbb 100644 --- a//cli/latest/reference/securityhub/get-resources-v2.md +++ b//cli/latest/reference/securityhub/get-resources-v2.md @@ -15 +15 @@ - * [AWS CLI 2.31.21 Command Reference](../../index.html) » + * [AWS CLI 2.31.23 Command Reference](../../index.html) » @@ -59 +59 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c -Returns a list of resources. This API is in private preview and subject to change. +Returns a list of resources. This API is in public preview and subject to change. @@ -126,9 +126,9 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi ->>>>>> * `resource_arn` ->>>>>> * `resource_id` ->>>>>> * `account_id` ->>>>>> * `region` ->>>>>> * `resource_category` ->>>>>> * `resource_type` ->>>>>> * `resource_name` ->>>>>> * `findings_summary.finding_type` ->>>>>> * `findings_summary.product_name` +>>>>>> * `ResourceGuid` +>>>>>> * `ResourceId` +>>>>>> * `AccountId` +>>>>>> * `Region` +>>>>>> * `ResourceCategory` +>>>>>> * `ResourceType` +>>>>>> * `ResourceName` +>>>>>> * `FindingsSummary.FindingType` +>>>>>> * `FindingsSummary.ProductName` @@ -217,2 +217,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi ->>>>>> * `resource_detail_capture_time_dt` ->>>>>> * `resource_creation_time_dt` +>>>>>> * `ResourceDetailCaptureTime` +>>>>>> * `ResourceCreationTime` @@ -282,9 +282,9 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi ->>>>>> * `findings_summary.total_findings` ->>>>>> * `findings_summary.severities.other` ->>>>>> * `findings_summary.severities.fatal` ->>>>>> * `findings_summary.severities.critical` ->>>>>> * `findings_summary.severities.high` ->>>>>> * `findings_summary.severities.medium` ->>>>>> * `findings_summary.severities.low` ->>>>>> * `findings_summary.severities.informational` ->>>>>> * `findings_summary.severities.unknown` +>>>>>> * `FindingsSummary.TotalFindings` +>>>>>> * `FindingsSummary.Severities.Other` +>>>>>> * `FindingsSummary.Severities.Fatal` +>>>>>> * `FindingsSummary.Severities.Critical` +>>>>>> * `FindingsSummary.Severities.High` +>>>>>> * `FindingsSummary.Severities.Medium` +>>>>>> * `FindingsSummary.Severities.Low` +>>>>>> * `FindingsSummary.Severities.Informational` +>>>>>> * `FindingsSummary.Severities.Unknown` @@ -332 +332 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi ->>>>>> * `tags` +>>>>>> * `ResourceTags` @@ -395,0 +396,304 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi +>>> +>>> NestedCompositeFilters -> (list) +>>> +>>>> Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a `CompositeFilters` array with a `CompositeOperator` (`AND` /`OR` ). The second layer is a `CompositeFilter` object that contains direct filters and `NestedCompositeFilters` . The third layer is `NestedCompositeFilters` , which contains additional filter conditions. +>>>> +>>>> (structure) +>>>> +>>>>> Enables the creation of criteria for Amazon Web Services resources in Security Hub. +>>>>> +>>>>> StringFilters -> (list) +>>>>> +>>>>>> Enables filtering based on string field values. +>>>>>> +>>>>>> (structure) +>>>>>> +>>>>>>> Enables filtering of Amazon Web Services resources based on string field values. +>>>>>>> +>>>>>>> FieldName -> (string) +>>>>>>> +>>>>>>>> The name of the field. +>>>>>>>> +>>>>>>>> Possible values: +>>>>>>>> +>>>>>>>> * `ResourceGuid` +>>>>>>>> * `ResourceId` +>>>>>>>> * `AccountId` +>>>>>>>> * `Region` +>>>>>>>> * `ResourceCategory` +>>>>>>>> * `ResourceType` +>>>>>>>> * `ResourceName` +>>>>>>>> * `FindingsSummary.FindingType` +>>>>>>>> * `FindingsSummary.ProductName` +>>>>>>>> + +>>>>>>> +>>>>>>> Filter -> (structure) +>>>>>>> +>>>>>>>> A string filter for filtering Security Hub findings. +>>>>>>>> +>>>>>>>> Value -> (string) +>>>>>>>> +>>>>>>>>> The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there’s no match. +>>>>>>>>> +>>>>>>>>> Constraints: +>>>>>>>>> +>>>>>>>>> * pattern: `.*\S.*` +>>>>>>>>> + +>>>>>>>> +>>>>>>>> Comparison -> (string) +>>>>>>>> +>>>>>>>>> The condition to apply to a string value when filtering Security Hub findings. +>>>>>>>>> +>>>>>>>>> To search for values that have the filter value, use one of the following comparison operators: +>>>>>>>>> +>>>>>>>>> * To search for values that include the filter value, use `CONTAINS` . For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront. +>>>>>>>>> * To search for values that exactly match the filter value, use `EQUALS` . For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012` . +>>>>>>>>> * To search for values that start with the filter value, use `PREFIX` . For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us` . A `ResourceRegion` that starts with a different value, such as `af` , `ap` , or `ca` , doesn’t match. +>>>>>>>>> + +>>>>>>>>> +>>>>>>>>>> `CONTAINS` , `EQUALS` , and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront` , `CloudWatch` , or both strings in the title. +>>>>>>>>> +>>>>>>>>> To search for values that don’t have the filter value, use one of the following comparison operators: +>>>>>>>>> +>>>>>>>>> * To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront. +>>>>>>>>> * To search for values other than the filter value, use `NOT_EQUALS` . For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012` . +>>>>>>>>> * To search for values that don’t start with the filter value, use `PREFIX_NOT_EQUALS` . For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us` . +>>>>>>>>> + +>>>>>>>>> +>>>>>>>>>> `NOT_CONTAINS` , `NOT_EQUALS` , and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title. +>>>>>>>>> +>>>>>>>>> You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can’t provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters. +>>>>>>>>> +>>>>>>>>> You can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters. +>>>>>>>>> +>>>>>>>>> For example, for the following filters, Security Hub first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` . +>>>>>>>>> +>>>>>>>>> * `ResourceType PREFIX AwsIam` +>>>>>>>>> * `ResourceType PREFIX AwsEc2` +>>>>>>>>> * `ResourceType NOT_EQUALS AwsIamPolicy` +>>>>>>>>> * `ResourceType NOT_EQUALS AwsEc2NetworkInterface` +>>>>>>>>> + +>>>>>>>>> +>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub User Guide_ . +>>>>>>>>> +>>>>>>>>> Possible values: +>>>>>>>>> +>>>>>>>>> * `EQUALS` +>>>>>>>>> * `PREFIX` +>>>>>>>>> * `NOT_EQUALS` +>>>>>>>>> * `PREFIX_NOT_EQUALS` +>>>>>>>>> * `CONTAINS` +>>>>>>>>> * `NOT_CONTAINS` +>>>>>>>>> * `CONTAINS_WORD` +>>>>>>>>> + +>>>>> +>>>>> DateFilters -> (list) +>>>>> +>>>>>> Enables filtering based on date and timestamp field values. +>>>>>> +>>>>>> (structure) +>>>>>> +>>>>>>> Enables the filtering of Amazon Web Services resources based on date and timestamp attributes. +>>>>>>> +>>>>>>> FieldName -> (string) +>>>>>>> +>>>>>>>> The name of the field. +>>>>>>>> +>>>>>>>> Possible values: +>>>>>>>> +>>>>>>>> * `ResourceDetailCaptureTime` +>>>>>>>> * `ResourceCreationTime` +>>>>>>>> + +>>>>>>> +>>>>>>> Filter -> (structure) +>>>>>>> +>>>>>>>> A date filter for querying findings. +>>>>>>>> +>>>>>>>> Start -> (string) +>>>>>>>> +>>>>>>>>> A timestamp that provides the start date for the date filter. +>>>>>>>>> +>>>>>>>>> For more information about the validation and formatting of timestamp fields in Security Hub, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps) . +>>>>>>>>> +>>>>>>>>> Constraints: +>>>>>>>>> +>>>>>>>>> * pattern: `.*\S.*` +>>>>>>>>> + +>>>>>>>> +>>>>>>>> End -> (string) +>>>>>>>> +>>>>>>>>> A timestamp that provides the end date for the date filter. +>>>>>>>>> +>>>>>>>>> For more information about the validation and formatting of timestamp fields in Security Hub, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps) . +>>>>>>>>> +>>>>>>>>> Constraints: +>>>>>>>>>