AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-19 · Documentation low

File: cli/latest/reference/securityhub/get-resources-v2.md

Summary

Added documentation for the new '--scopes' parameter that allows delegated administrator accounts to define data boundaries for queries using AWS Organizations, enabling resource retrieval from entire organizations or specific organizational units. Also includes typo fixes and minor clarifications.

Security assessment

This change documents a new access control feature (Scopes parameter) that enables delegated administrators to limit query results to specific organizational boundaries. This enhances security by allowing fine-grained data access control within AWS Organizations, preventing unauthorized access to resources outside defined scopes. However, there's no evidence this addresses a specific security vulnerability or incident - it appears to be a new feature addition.

Diff

diff --git a/cli/latest/reference/securityhub/get-resources-v2.md b/cli/latest/reference/securityhub/get-resources-v2.md
index cbf6d6ee8..99a8687aa 100644
--- a//cli/latest/reference/securityhub/get-resources-v2.md
+++ b//cli/latest/reference/securityhub/get-resources-v2.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »
@@ -60,0 +61,4 @@ Returns a list of resources.
+You can use the `Scopes` parameter to define the data boundary for the query. Currently, `Scopes` supports `AwsOrganizations` , which lets you retrieve resources from your entire organization or from specific organizational units. Only the delegated administrator account can use `Scopes` .
+
+You can use the `Filters` parameter to refine results based on resource attributes. You can use `Scopes` and `Filters` independently or together. When both are provided, `Scopes` narrows the data set first, and then `Filters` refines results within that scoped data set.
+
@@ -71,0 +76 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
+    [--scopes <value>]
@@ -190 +195 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
+>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
@@ -483 +488 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/securi
->>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourceStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
+>>>>>>>>>> `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2` , `GetFindingStatisticsV2` , `GetResourcesV2` , and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the _Security Hub CSPM User Guide_ .
@@ -840,0 +846,60 @@ JSON Syntax:
+`--scopes` (structure)
+
+> Limits the results to resources from specific organizational units or from the delegated administrator’s organization. Only the delegated administrator account can use this parameter. Other accounts receive an `AccessDeniedException` .
+> 
+> This parameter is optional. If you omit it, the delegated administrator sees resources from all accounts across the entire organization. Other accounts see only their own resources.
+> 
+> You can specify up to 10 entries in `Scopes.AwsOrganizations` . If multiple entries are specified, the entries are combined using OR logic.
+> 
+> AwsOrganizations -> (list)
+>
+>> A list of Organizations scopes to include in the query results. Each entry in the list specifies an organization or organizational unit to include for the delegated administrator’s account. If the list specifies multiple entries, the entries are combined using OR logic.
+>> 
+>> (structure)
+>>
+>>> Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response.
+>>> 
+>>> To scope to a specific organizational unit, provide `OrganizationalUnitId` . You can optionally include `OrganizationId` . If you omit `OrganizationId` , Security Hub uses the caller’s organization ID. To scope to the delegated administrator’s entire organization, provide only `OrganizationId` .
+>>> 
+>>> The organization ID and organizational unit must belong to the delegated administrator’s own organization. Each request must use one scoping approach: either scope to the entire organization by providing an `AwsOrganizationScope` entry with only `OrganizationId` , or scope to specific organizational units by providing `AwsOrganizationScope` entries with `OrganizationalUnitId` . You can’t combine both approaches in the same request.
+>>> 
+>>> OrganizationId -> (string)
+>>>
+>>>> The unique identifier (ID) of the organization (for example, `o-abcd1234567890` ). The organization must be the delegated administrator’s own organization. If you omit this value and provide `OrganizationalUnitId` , Security Hub uses the caller’s organization ID.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * pattern: `.*\S.*`
+>>>> 
+
+>>> 
+>>> OrganizationalUnitId -> (string)
+>>>
+>>>> The unique identifier (ID) of the organizational unit (OU) (for example, `ou-ab12-cd345678` ). The OU must exist within the delegated administrator’s own organization. When specified, the results include only data from accounts in this OU.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * pattern: `.*\S.*`
+>>>> 
+
+
+Shorthand Syntax:
+    
+    
+    AwsOrganizations=[{OrganizationId=string,OrganizationalUnitId=string},{OrganizationId=string,OrganizationalUnitId=string}]
+    
+
+JSON Syntax:
+    
+    
+    {
+      "AwsOrganizations": [
+        {
+          "OrganizationId": "string",
+          "OrganizationalUnitId": "string"
+        }
+        ...
+      ]
+    }
+    
+
@@ -843 +908 @@ JSON Syntax:
-> The finding attributes used to sort the list of returned findings.
+> The resource attributes used to sort the list of returned resources.
@@ -1021 +1086 @@ Resources -> (list)
-> Filters resources based on a set of criteria.
+> An array of resources returned by the operation.
@@ -1238 +1303 @@ NextToken -> (string)
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »