AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-10-28 · Documentation low

File: cli/latest/reference/securityhub/get-resources-v2.md

Summary

Updated API documentation for Security Hub's get-resources-v2 command including field name standardization, API preview status change from private to public, and added nested composite filtering capabilities

Security assessment

The changes primarily enhance filtering capabilities (String/Date/Number/Map filters) and document security-related resource attributes like FindingsSummary.Severities. While these improvements aid security analysis workflows, there's no evidence of addressing a specific vulnerability or security incident. The updates focus on feature enhancement rather than patching security issues.

Diff

diff --git a/cli/latest/reference/securityhub/get-resources-v2.md b/cli/latest/reference/securityhub/get-resources-v2.md
index 6eb96af3c..01b5d4dbb 100644
--- a//cli/latest/reference/securityhub/get-resources-v2.md
+++ b//cli/latest/reference/securityhub/get-resources-v2.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.21 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.23 Command Reference](../../index.html) »
@@ -59 +59 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c
-Returns a list of resources. This API is in private preview and subject to change.
+Returns a list of resources. This API is in public preview and subject to change.
@@ -126,9 +126,9 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>   * `resource_arn`
->>>>>>   * `resource_id`
->>>>>>   * `account_id`
->>>>>>   * `region`
->>>>>>   * `resource_category`
->>>>>>   * `resource_type`
->>>>>>   * `resource_name`
->>>>>>   * `findings_summary.finding_type`
->>>>>>   * `findings_summary.product_name`
+>>>>>>   * `ResourceGuid`
+>>>>>>   * `ResourceId`
+>>>>>>   * `AccountId`
+>>>>>>   * `Region`
+>>>>>>   * `ResourceCategory`
+>>>>>>   * `ResourceType`
+>>>>>>   * `ResourceName`
+>>>>>>   * `FindingsSummary.FindingType`
+>>>>>>   * `FindingsSummary.ProductName`
@@ -217,2 +217,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>   * `resource_detail_capture_time_dt`
->>>>>>   * `resource_creation_time_dt`
+>>>>>>   * `ResourceDetailCaptureTime`
+>>>>>>   * `ResourceCreationTime`
@@ -282,9 +282,9 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>   * `findings_summary.total_findings`
->>>>>>   * `findings_summary.severities.other`
->>>>>>   * `findings_summary.severities.fatal`
->>>>>>   * `findings_summary.severities.critical`
->>>>>>   * `findings_summary.severities.high`
->>>>>>   * `findings_summary.severities.medium`
->>>>>>   * `findings_summary.severities.low`
->>>>>>   * `findings_summary.severities.informational`
->>>>>>   * `findings_summary.severities.unknown`
+>>>>>>   * `FindingsSummary.TotalFindings`
+>>>>>>   * `FindingsSummary.Severities.Other`
+>>>>>>   * `FindingsSummary.Severities.Fatal`
+>>>>>>   * `FindingsSummary.Severities.Critical`
+>>>>>>   * `FindingsSummary.Severities.High`
+>>>>>>   * `FindingsSummary.Severities.Medium`
+>>>>>>   * `FindingsSummary.Severities.Low`
+>>>>>>   * `FindingsSummary.Severities.Informational`
+>>>>>>   * `FindingsSummary.Severities.Unknown`
@@ -332 +332 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>   * `tags`
+>>>>>>   * `ResourceTags`
@@ -395,0 +396,304 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+>>> 
+>>> NestedCompositeFilters -> (list)
+>>>
+>>>> Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a `CompositeFilters` array with a `CompositeOperator` (`AND` /`OR` ). The second layer is a `CompositeFilter` object that contains direct filters and `NestedCompositeFilters` . The third layer is `NestedCompositeFilters` , which contains additional filter conditions.
+>>>> 
+>>>> (structure)
+>>>>
+>>>>> Enables the creation of criteria for Amazon Web Services resources in Security Hub.
+>>>>> 
+>>>>> StringFilters -> (list)
+>>>>>
+>>>>>> Enables filtering based on string field values.
+>>>>>> 
+>>>>>> (structure)
+>>>>>>
+>>>>>>> Enables filtering of Amazon Web Services resources based on string field values.
+>>>>>>> 
+>>>>>>> FieldName -> (string)
+>>>>>>>
+>>>>>>>> The name of the field.
+>>>>>>>> 
+>>>>>>>> Possible values:
+>>>>>>>> 
+>>>>>>>>   * `ResourceGuid`
+>>>>>>>>   * `ResourceId`
+>>>>>>>>   * `AccountId`
+>>>>>>>>   * `Region`
+>>>>>>>>   * `ResourceCategory`
+>>>>>>>>   * `ResourceType`
+>>>>>>>>   * `ResourceName`
+>>>>>>>>   * `FindingsSummary.FindingType`
+>>>>>>>>   * `FindingsSummary.ProductName`
+>>>>>>>> 
+
+>>>>>>> 
+>>>>>>> Filter -> (structure)
+>>>>>>>
+>>>>>>>> A string filter for filtering Security Hub findings.
+>>>>>>>> 
+>>>>>>>> Value -> (string)
+>>>>>>>>
+>>>>>>>>> The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there’s no match.
+>>>>>>>>> 
+>>>>>>>>> Constraints:
+>>>>>>>>> 
+>>>>>>>>>   * pattern: `.*\S.*`
+>>>>>>>>> 
+
+>>>>>>>> 
+>>>>>>>> Comparison -> (string)
+>>>>>>>>
+>>>>>>>>> The condition to apply to a string value when filtering Security Hub findings.
+>>>>>>>>> 
+>>>>>>>>> To search for values that have the filter value, use one of the following comparison operators:
+>>>>>>>>> 
+>>>>>>>>>   * To search for values that include the filter value, use `CONTAINS` . For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront.
+>>>>>>>>>   * To search for values that exactly match the filter value, use `EQUALS` . For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012` .
+>>>>>>>>>   * To search for values that start with the filter value, use `PREFIX` . For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us` . A `ResourceRegion` that starts with a different value, such as `af` , `ap` , or `ca` , doesn’t match.
+>>>>>>>>> 
+
+>>>>>>>>>
+>>>>>>>>>> `CONTAINS` , `EQUALS` , and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront` , `CloudWatch` , or both strings in the title.
+>>>>>>>>> 
+>>>>>>>>> To search for values that don’t have the filter value, use one of the following comparison operators:
+>>>>>>>>> 
+>>>>>>>>>   * To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront.
+>>>>>>>>>   * To search for values other than the filter value, use `NOT_EQUALS` . For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012` .
+>>>>>>>>>   * To search for values that don’t start with the filter value, use `PREFIX_NOT_EQUALS` . For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us` .
+>>>>>>>>> 
+
+>>>>>>>>>
+>>>>>>>>>> `NOT_CONTAINS` , `NOT_EQUALS` , and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title.
+>>>>>>>>> 
+>>>>>>>>> You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can’t provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.
+>>>>>>>>> 
+>>>>>>>>> You can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.
+>>>>>>>>> 
+>>>>>>>>> For example, for the following filters, Security Hub first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .
+>>>>>>>>> 
+>>>>>>>>>   * `ResourceType PREFIX AwsIam`
+>>>>>>>>>   * `ResourceType PREFIX AwsEc2`
+>>>>>>>>>   * `ResourceType NOT_EQUALS AwsIamPolicy`
+>>>>>>>>>   * `ResourceType NOT_EQUALS AwsEc2NetworkInterface`
+>>>>>>>>> 
+
+>>>>>>>>>
+>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub User Guide_ .
+>>>>>>>>> 
+>>>>>>>>> Possible values:
+>>>>>>>>> 
+>>>>>>>>>   * `EQUALS`
+>>>>>>>>>   * `PREFIX`
+>>>>>>>>>   * `NOT_EQUALS`
+>>>>>>>>>   * `PREFIX_NOT_EQUALS`
+>>>>>>>>>   * `CONTAINS`
+>>>>>>>>>   * `NOT_CONTAINS`
+>>>>>>>>>   * `CONTAINS_WORD`
+>>>>>>>>> 
+
+>>>>> 
+>>>>> DateFilters -> (list)
+>>>>>
+>>>>>> Enables filtering based on date and timestamp field values.
+>>>>>> 
+>>>>>> (structure)
+>>>>>>
+>>>>>>> Enables the filtering of Amazon Web Services resources based on date and timestamp attributes.
+>>>>>>> 
+>>>>>>> FieldName -> (string)
+>>>>>>>
+>>>>>>>> The name of the field.
+>>>>>>>> 
+>>>>>>>> Possible values:
+>>>>>>>> 
+>>>>>>>>   * `ResourceDetailCaptureTime`
+>>>>>>>>   * `ResourceCreationTime`
+>>>>>>>> 
+
+>>>>>>> 
+>>>>>>> Filter -> (structure)
+>>>>>>>
+>>>>>>>> A date filter for querying findings.
+>>>>>>>> 
+>>>>>>>> Start -> (string)
+>>>>>>>>
+>>>>>>>>> A timestamp that provides the start date for the date filter.
+>>>>>>>>> 
+>>>>>>>>> For more information about the validation and formatting of timestamp fields in Security Hub, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps) .
+>>>>>>>>> 
+>>>>>>>>> Constraints:
+>>>>>>>>> 
+>>>>>>>>>   * pattern: `.*\S.*`
+>>>>>>>>> 
+
+>>>>>>>> 
+>>>>>>>> End -> (string)
+>>>>>>>>
+>>>>>>>>> A timestamp that provides the end date for the date filter.
+>>>>>>>>> 
+>>>>>>>>> For more information about the validation and formatting of timestamp fields in Security Hub, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps) .
+>>>>>>>>> 
+>>>>>>>>> Constraints:
+>>>>>>>>>