AWS cli documentation change
Summary
Updated AWS CLI version references from 2.34.29 to 2.34.32, expanded documentation for BatchUpdateFindingsV2 with detailed IAM policy configuration using securityhub:OCSFSyntaxPath condition keys for field-level access control, and updated allowed enum values for SeverityId and StatusId fields.
Security assessment
The change adds comprehensive documentation about using IAM condition keys (securityhub:OCSFSyntaxPath) to restrict access to specific finding fields (SeverityId, StatusId, Comment) and control allowed values. This enhances security by enabling fine-grained access control but does not address a specific security vulnerability. The enum value changes (adding 6 to SeverityId, removing 6 from StatusId) appear to be API updates rather than security fixes.
Diff
diff --git a/cli/latest/reference/securityhub/batch-update-findings-v2.md b/cli/latest/reference/securityhub/batch-update-findings-v2.md index f6b4a3395..5b8d55606 100644 --- a//cli/latest/reference/securityhub/batch-update-findings-v2.md +++ b//cli/latest/reference/securityhub/batch-update-findings-v2.md @@ -15 +15 @@ - * [AWS CLI 2.34.29 Command Reference](../../index.html) » + * [AWS CLI 2.34.32 Command Reference](../../index.html) » @@ -59 +59,7 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c -Used by customers to update information about their investigation into a finding. Requested by delegated administrator accounts or member accounts. Delegated administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their account. `BatchUpdateFindings` and `BatchUpdateFindingV2` both use `securityhub:BatchUpdateFindings` in the `Action` element of an IAM policy statement. You must have permission to perform the `securityhub:BatchUpdateFindings` action. Updates from `BatchUpdateFindingsV2` don’t affect the value of f``inding_info.modified_time`` , `finding_info.modified_time_dt` , `time` , `time_dt for a finding` . +Updates information about a customer’s investigation into a finding. Delegated administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their own account. + +> `BatchUpdateFindings` and `BatchUpdateFindingsV2` both use `securityhub:BatchUpdateFindings` in the `Action` element of an IAM policy statement. You must have permission to perform the `securityhub:BatchUpdateFindings` action. You can configure IAM policies to restrict access to specific finding fields or field values by using the `securityhub:OCSFSyntaxPath/<fieldName>` condition key, where `<fieldName>` is one of the following supported fields: `SeverityId` , `StatusId` , or `Comment` . + +To prevent a user from updating a specific field, use a `Null` condition with `securityhub:OCSFSyntaxPath/<fieldName>` set to `"false"` . To prevent a user from setting a field to a specific value, use a `StringEquals` condition with `securityhub:OCSFSyntaxPath/<fieldName>` set to the disallowed value or list of values. + +Updates from `BatchUpdateFindingsV2` don’t affect the value of `finding_info.modified_time` , `finding_info.modified_time_dt` , `time` , or `time_dt` for a finding. @@ -198 +204 @@ JSON Syntax: -> The updated value for the normalized severity identifier. The severity ID is an integer with the allowed enum values [0, 1, 2, 3, 4, 5, 99]. When customer provides the updated severity ID, the string sibling severity will automatically be updated in the finding. +> The updated value for the normalized severity identifier. The severity ID is an integer with the allowed enum values [0, 1, 2, 3, 4, 5, 6, 99]. When customer provides the updated severity ID, the string sibling severity will automatically be updated in the finding. @@ -202 +208 @@ JSON Syntax: -> The updated value for the normalized status identifier. The status ID is an integer with the allowed enum values [0, 1, 2, 3, 4, 5, 6, 99]. When customer provides the updated status ID, the string sibling status will automatically be updated in the finding. +> The updated value for the normalized status identifier. The status ID is an integer with the allowed enum values [0, 1, 2, 3, 4, 5, 99]. When customer provides the updated status ID, the string sibling status will automatically be updated in the finding. @@ -454 +460 @@ UnprocessedFindings -> (list) - * [AWS CLI 2.34.29 Command Reference](../../index.html) » + * [AWS CLI 2.34.32 Command Reference](../../index.html) »