AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-19 · Documentation low

File: cli/latest/reference/securityhub/get-findings-v2.md

Summary

Updated AWS CLI version from 2.34.29 to 2.34.32, expanded command description to include Scopes parameter usage, added --scopes option to syntax, corrected API name in note (GetResourceStatisticsV2 to GetResourcesStatisticsV2), and added detailed documentation for the --scopes parameter.

Security assessment

The change adds documentation for the Scopes parameter, which is a security feature that allows delegated administrators to control the scope of findings by organization or organizational unit. This enhances access control and data segmentation. However, there is no evidence of a security vulnerability being fixed; it is a documentation update for a feature.

Diff

diff --git a/cli/latest/reference/securityhub/get-findings-v2.md b/cli/latest/reference/securityhub/get-findings-v2.md
index 8fc82553c..93c685ed3 100644
--- a//cli/latest/reference/securityhub/get-findings-v2.md
+++ b//cli/latest/reference/securityhub/get-findings-v2.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »
@@ -59 +59,7 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c
-Return a list of findings that match the specified criteria. `GetFindings` and `GetFindingsV2` both use `securityhub:GetFindings` in the `Action` element of an IAM policy statement. You must have permission to perform the `securityhub:GetFindings` action.
+Returns a list of findings that match the specified criteria.
+
+You can use the `Scopes` parameter to define the data boundary for the query. Currently, `Scopes` supports `AwsOrganizations` , which lets you retrieve findings from your entire organization or from specific organizational units. Only the delegated administrator account can use `Scopes` .
+
+You can use the `Filters` parameter to refine results based on finding attributes. You can use `Scopes` and `Filters` independently or together. When both are provided, `Scopes` narrows the data set first, and then `Filters` refines results within that scoped data set.
+
+> `GetFindings` and `GetFindingsV2` both use `securityhub:GetFindings` in the `Action` element of an IAM policy statement. You must have permission to perform the `securityhub:GetFindings` action.
@@ -71,0 +78 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+    [--scopes <value>]
@@ -252 +259 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
+>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
@@ -681 +688 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
+>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
@@ -1148,0 +1156,60 @@ JSON Syntax:
+`--scopes` (structure)
+
+> Limits the results to findings from specific organizational units or from the delegated administrator’s organization. Only the delegated administrator account can use this parameter. Other accounts receive an `AccessDeniedException` .
+> 
+> This parameter is optional. If you omit it, the delegated administrator sees findings from all accounts across the entire organization. Other accounts see only their own findings.
+> 
+> You can specify up to 10 entries in `Scopes.AwsOrganizations` . If multiple entries are specified, the entries are combined using OR logic.
+> 
+> AwsOrganizations -> (list)
+>
+>> A list of Organizations scopes to include in the query results. Each entry in the list specifies an organization or organizational unit to include for the delegated administrator’s account. If the list specifies multiple entries, the entries are combined using OR logic.
+>> 
+>> (structure)
+>>
+>>> Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response.
+>>> 
+>>> To scope to a specific organizational unit, provide `OrganizationalUnitId` . You can optionally include `OrganizationId` . If you omit `OrganizationId` , Security Hub uses the caller’s organization ID. To scope to the delegated administrator’s entire organization, provide only `OrganizationId` .
+>>> 
+>>> The organization ID and organizational unit must belong to the delegated administrator’s own organization. Each request must use one scoping approach: either scope to the entire organization by providing an `AwsOrganizationScope` entry with only `OrganizationId` , or scope to specific organizational units by providing `AwsOrganizationScope` entries with `OrganizationalUnitId` . You can’t combine both approaches in the same request.
+>>> 
+>>> OrganizationId -> (string)
+>>>
+>>>> The unique identifier (ID) of the organization (for example, `o-abcd1234567890` ). The organization must be the delegated administrator’s own organization. If you omit this value and provide `OrganizationalUnitId` , Security Hub uses the caller’s organization ID.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * pattern: `.*\S.*`
+>>>> 
+
+>>> 
+>>> OrganizationalUnitId -> (string)
+>>>
+>>>> The unique identifier (ID) of the organizational unit (OU) (for example, `ou-ab12-cd345678` ). The OU must exist within the delegated administrator’s own organization. When specified, the results include only data from accounts in this OU.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * pattern: `.*\S.*`
+>>>> 
+
+
+Shorthand Syntax:
+    
+    
+    AwsOrganizations=[{OrganizationId=string,OrganizationalUnitId=string},{OrganizationId=string,OrganizationalUnitId=string}]
+    
+
+JSON Syntax:
+    
+    
+    {
+      "AwsOrganizations": [
+        {
+          "OrganizationId": "string",
+          "OrganizationalUnitId": "string"
+        }
+        ...
+      ]
+    }
+    
+
@@ -1347 +1414 @@ NextToken -> (string)
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »