AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-19 · Documentation low

File: cli/latest/reference/securityhub/get-finding-statistics-v2.md

Summary

Updated AWS CLI version from 2.34.29 to 2.34.32, added documentation for new Scopes parameter allowing delegated administrators to limit query results by AWS Organizations or organizational units, corrected IAM action name, and fixed typos in operator documentation.

Security assessment

The change introduces a new Scopes parameter that enables delegated administrators to control the scope of findings statistics by organization or organizational unit, which enhances data isolation and access control. It clarifies that only delegated administrators can use this feature and others receive AccessDeniedException. This is a security feature addition rather than addressing a specific vulnerability. The correction of IAM action name from 's' to 'securityhub:GetAdhocInsightResults' improves security documentation accuracy.

Diff

diff --git a/cli/latest/reference/securityhub/get-finding-statistics-v2.md b/cli/latest/reference/securityhub/get-finding-statistics-v2.md
index 05765fb1d..5a192c475 100644
--- a//cli/latest/reference/securityhub/get-finding-statistics-v2.md
+++ b//cli/latest/reference/securityhub/get-finding-statistics-v2.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »
@@ -59 +59,5 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c
-Returns aggregated statistical data about findings. `GetFindingStatisticsV2` use `securityhub:GetAdhocInsightResults` in the `Action` element of an IAM policy statement. You must have permission to perform the `s` action.
+Returns aggregated statistical data about findings.
+
+You can use the `Scopes` parameter to define the data boundary for the query. Currently, `Scopes` supports `AwsOrganizations` , which lets you aggregate findings from your entire organization or from specific organizational units. Only the delegated administrator account can use `Scopes` .
+
+> `GetFindingStatisticsV2` uses `securityhub:GetAdhocInsightResults` in the `Action` element of an IAM policy statement. You must have permission to perform the `securityhub:GetAdhocInsightResults` action.
@@ -67,0 +72 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+    [--scopes <value>]
@@ -254 +259 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
+>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
@@ -683 +688 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
+>>>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
@@ -1189,0 +1195,60 @@ JSON Syntax:
+`--scopes` (structure)
+
+> Limits the results to findings from specific organizational units or from the delegated administrator’s organization. Only the delegated administrator account can use this parameter. Other accounts receive an `AccessDeniedException` .
+> 
+> This parameter is optional. If you omit it, the delegated administrator sees statistics from all accounts across the entire organization. Other accounts see only statistics for their own findings.
+> 
+> You can specify up to 10 entries in `Scopes.AwsOrganizations` . If multiple entries are specified, the entries are combined using OR logic.
+> 
+> AwsOrganizations -> (list)
+>
+>> A list of Organizations scopes to include in the query results. Each entry in the list specifies an organization or organizational unit to include for the delegated administrator’s account. If the list specifies multiple entries, the entries are combined using OR logic.
+>> 
+>> (structure)
+>>
+>>> Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response.
+>>> 
+>>> To scope to a specific organizational unit, provide `OrganizationalUnitId` . You can optionally include `OrganizationId` . If you omit `OrganizationId` , Security Hub uses the caller’s organization ID. To scope to the delegated administrator’s entire organization, provide only `OrganizationId` .
+>>> 
+>>> The organization ID and organizational unit must belong to the delegated administrator’s own organization. Each request must use one scoping approach: either scope to the entire organization by providing an `AwsOrganizationScope` entry with only `OrganizationId` , or scope to specific organizational units by providing `AwsOrganizationScope` entries with `OrganizationalUnitId` . You can’t combine both approaches in the same request.
+>>> 
+>>> OrganizationId -> (string)
+>>>
+>>>> The unique identifier (ID) of the organization (for example, `o-abcd1234567890` ). The organization must be the delegated administrator’s own organization. If you omit this value and provide `OrganizationalUnitId` , Security Hub uses the caller’s organization ID.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * pattern: `.*\S.*`
+>>>> 
+
+>>> 
+>>> OrganizationalUnitId -> (string)
+>>>
+>>>> The unique identifier (ID) of the organizational unit (OU) (for example, `ou-ab12-cd345678` ). The OU must exist within the delegated administrator’s own organization. When specified, the results include only data from accounts in this OU.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * pattern: `.*\S.*`
+>>>> 
+
+
+Shorthand Syntax:
+    
+    
+    AwsOrganizations=[{OrganizationId=string,OrganizationalUnitId=string},{OrganizationId=string,OrganizationalUnitId=string}]
+    
+
+JSON Syntax:
+    
+    
+    {
+      "AwsOrganizations": [
+        {
+          "OrganizationId": "string",
+          "OrganizationalUnitId": "string"
+        }
+        ...
+      ]
+    }
+    
+
@@ -1375 +1440 @@ GroupByResults -> (list)
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »