AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-19 · Documentation low

File: cli/latest/reference/securityhub/get-resources-statistics-v2.md

Summary

Added documentation for the new --scopes parameter that allows delegated administrator accounts to limit query results to specific organizational units or the entire organization in Security Hub's get-resources-statistics-v2 API. Also updated CLI version references and fixed a typo in API name.

Security assessment

This change documents a new access control feature (Scopes parameter) for Security Hub's resource statistics API. It enables delegated administrators to define data boundaries at the organizational level, which is a security feature for controlling data visibility and access. However, there is no evidence this addresses a specific security vulnerability or incident - it appears to be a new feature addition. The documentation explains access control boundaries and mentions AccessDeniedException for unauthorized accounts.

Diff

diff --git a/cli/latest/reference/securityhub/get-resources-statistics-v2.md b/cli/latest/reference/securityhub/get-resources-statistics-v2.md
index fe0208d3d..941fb269a 100644
--- a//cli/latest/reference/securityhub/get-resources-statistics-v2.md
+++ b//cli/latest/reference/securityhub/get-resources-statistics-v2.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »
@@ -60,0 +61,2 @@ Retrieves statistical information about Amazon Web Services resources and their
+You can use the `Scopes` parameter to define the data boundary for the query. Currently, `Scopes` supports `AwsOrganizations` , which lets you aggregate resources from your entire organization or from specific organizational units. Only the delegated administrator account can use `Scopes` .
+
@@ -67,0 +70 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+    [--scopes <value>]
@@ -207 +210 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
+>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
@@ -500 +503 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
+>>>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
@@ -863,0 +867,60 @@ JSON Syntax:
+`--scopes` (structure)
+
+> Limits the results to resources from specific organizational units or from the delegated administrator’s organization. Only the delegated administrator account can use this parameter. Other accounts receive an `AccessDeniedException` .
+> 
+> This parameter is optional. If you omit it, the delegated administrator sees statistics from all accounts across the entire organization. Other accounts see only statistics for their own resources.
+> 
+> You can specify up to 10 entries in `Scopes.AwsOrganizations` . If multiple entries are specified, the entries are combined using OR logic.
+> 
+> AwsOrganizations -> (list)
+>
+>> A list of Organizations scopes to include in the query results. Each entry in the list specifies an organization or organizational unit to include for the delegated administrator’s account. If the list specifies multiple entries, the entries are combined using OR logic.
+>> 
+>> (structure)
+>>
+>>> Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response.
+>>> 
+>>> To scope to a specific organizational unit, provide `OrganizationalUnitId` . You can optionally include `OrganizationId` . If you omit `OrganizationId` , Security Hub uses the caller’s organization ID. To scope to the delegated administrator’s entire organization, provide only `OrganizationId` .
+>>> 
+>>> The organization ID and organizational unit must belong to the delegated administrator’s own organization. Each request must use one scoping approach: either scope to the entire organization by providing an `AwsOrganizationScope` entry with only `OrganizationId` , or scope to specific organizational units by providing `AwsOrganizationScope` entries with `OrganizationalUnitId` . You can’t combine both approaches in the same request.
+>>> 
+>>> OrganizationId -> (string)
+>>>
+>>>> The unique identifier (ID) of the organization (for example, `o-abcd1234567890` ). The organization must be the delegated administrator’s own organization. If you omit this value and provide `OrganizationalUnitId` , Security Hub uses the caller’s organization ID.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * pattern: `.*\S.*`
+>>>> 
+
+>>> 
+>>> OrganizationalUnitId -> (string)
+>>>
+>>>> The unique identifier (ID) of the organizational unit (OU) (for example, `ou-ab12-cd345678` ). The OU must exist within the delegated administrator’s own organization. When specified, the results include only data from accounts in this OU.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * pattern: `.*\S.*`
+>>>> 
+
+
+Shorthand Syntax:
+    
+    
+    AwsOrganizations=[{OrganizationId=string,OrganizationalUnitId=string},{OrganizationId=string,OrganizationalUnitId=string}]
+    
+
+JSON Syntax:
+    
+    
+    {
+      "AwsOrganizations": [
+        {
+          "OrganizationId": "string",
+          "OrganizationalUnitId": "string"
+        }
+        ...
+      ]
+    }
+    
+
@@ -1049 +1112 @@ GroupByResults -> (list)
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »