AWS IoT

2020/08/12 - AWS IoT - 5 new 3 updated api methods

Changes  Audit finding suppressions: Device Defender enables customers to turn off non-compliant findings for specific resources on a per check basis.

CreateAuditSuppression (new) Link ¶

Creates a Device Defender audit suppression.

See also: AWS API Documentation

Request Syntax

client.create_audit_suppression(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string'
    },
    expirationDate=datetime(2015, 1, 1),
    suppressIndefinitely=True|False,
    description='string',
    clientRequestToken='string'
)
type checkName

string

param checkName

[REQUIRED]

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

[REQUIRED]

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

type expirationDate

datetime

param expirationDate

The epoch timestamp in seconds at which this suppression expires.

type suppressIndefinitely

boolean

param suppressIndefinitely

Indicates whether a suppression should exist indefinitely or not.

type description

string

param description

The description of the audit suppression.

type clientRequestToken

string

param clientRequestToken

[REQUIRED]

The epoch timestamp in seconds at which this suppression expires.

This field is autopopulated if not provided.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

DescribeAuditSuppression (new) Link ¶

Gets information about a Device Defender audit suppression.

See also: AWS API Documentation

Request Syntax

client.describe_audit_suppression(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string'
    }
)
type checkName

string

param checkName

[REQUIRED]

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

[REQUIRED]

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

rtype

dict

returns

Response Syntax

{
    'checkName': 'string',
    'resourceIdentifier': {
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string'
    },
    'expirationDate': datetime(2015, 1, 1),
    'suppressIndefinitely': True|False,
    'description': 'string'
}

Response Structure

  • (dict) --

    • checkName (string) --

      An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

    • resourceIdentifier (dict) --

      Information that identifies the noncompliant resource.

      • deviceCertificateId (string) --

        The ID of the certificate attached to the resource.

      • caCertificateId (string) --

        The ID of the CA certificate used to authorize the certificate.

      • cognitoIdentityPoolId (string) --

        The ID of the Amazon Cognito identity pool.

      • clientId (string) --

        The client ID.

      • policyVersionIdentifier (dict) --

        The version of the policy associated with the resource.

        • policyName (string) --

          The name of the policy.

        • policyVersionId (string) --

          The ID of the version of the policy associated with the resource.

      • account (string) --

        The account with which the resource is associated.

      • iamRoleArn (string) --

        The ARN of the IAM role that has overly permissive actions.

      • roleAliasArn (string) --

        The ARN of the role alias that has overly permissive actions.

    • expirationDate (datetime) --

      The epoch timestamp in seconds at which this suppression expires.

    • suppressIndefinitely (boolean) --

      Indicates whether a suppression should exist indefinitely or not.

    • description (string) --

      The description of the audit suppression.

ListAuditSuppressions (new) Link ¶

Lists your Device Defender audit listings.

See also: AWS API Documentation

Request Syntax

client.list_audit_suppressions(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string'
    },
    ascendingOrder=True|False,
    nextToken='string',
    maxResults=123
)
type checkName

string

param checkName

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

type ascendingOrder

boolean

param ascendingOrder

Determines whether suppressions are listed in ascending order by expiration date or not. If parameter isn't provided, ascendingOrder=true .

type nextToken

string

param nextToken

The token for the next set of results.

type maxResults

integer

param maxResults

The maximum number of results to return at one time. The default is 25.

rtype

dict

returns

Response Syntax

{
    'suppressions': [
        {
            'checkName': 'string',
            'resourceIdentifier': {
                'deviceCertificateId': 'string',
                'caCertificateId': 'string',
                'cognitoIdentityPoolId': 'string',
                'clientId': 'string',
                'policyVersionIdentifier': {
                    'policyName': 'string',
                    'policyVersionId': 'string'
                },
                'account': 'string',
                'iamRoleArn': 'string',
                'roleAliasArn': 'string'
            },
            'expirationDate': datetime(2015, 1, 1),
            'suppressIndefinitely': True|False,
            'description': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • suppressions (list) --

      List of audit suppressions.

      • (dict) --

        Filters out specific findings of a Device Defender audit.

        • checkName (string) --

          An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

        • resourceIdentifier (dict) --

          Information that identifies the noncompliant resource.

          • deviceCertificateId (string) --

            The ID of the certificate attached to the resource.

          • caCertificateId (string) --

            The ID of the CA certificate used to authorize the certificate.

          • cognitoIdentityPoolId (string) --

            The ID of the Amazon Cognito identity pool.

          • clientId (string) --

            The client ID.

          • policyVersionIdentifier (dict) --

            The version of the policy associated with the resource.

            • policyName (string) --

              The name of the policy.

            • policyVersionId (string) --

              The ID of the version of the policy associated with the resource.

          • account (string) --

            The account with which the resource is associated.

          • iamRoleArn (string) --

            The ARN of the IAM role that has overly permissive actions.

          • roleAliasArn (string) --

            The ARN of the role alias that has overly permissive actions.

        • expirationDate (datetime) --

          The expiration date (epoch timestamp in seconds) that you want the suppression to adhere to.

        • suppressIndefinitely (boolean) --

          Indicates whether a suppression should exist indefinitely or not.

        • description (string) --

          The description of the audit suppression.

    • nextToken (string) --

      A token that can be used to retrieve the next set of results, or null if there are no additional results.

UpdateAuditSuppression (new) Link ¶

Updates a Device Defender audit suppression.

See also: AWS API Documentation

Request Syntax

client.update_audit_suppression(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string'
    },
    expirationDate=datetime(2015, 1, 1),
    suppressIndefinitely=True|False,
    description='string'
)
type checkName

string

param checkName

[REQUIRED]

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

[REQUIRED]

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

type expirationDate

datetime

param expirationDate

The expiration date (epoch timestamp in seconds) that you want the suppression to adhere to.

type suppressIndefinitely

boolean

param suppressIndefinitely

Indicates whether a suppression should exist indefinitely or not.

type description

string

param description

The description of the audit suppression.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

DeleteAuditSuppression (new) Link ¶

Deletes a Device Defender audit suppression.

See also: AWS API Documentation

Request Syntax

client.delete_audit_suppression(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string'
    }
)
type checkName

string

param checkName

[REQUIRED]

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

[REQUIRED]

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

DescribeAuditFinding (updated) Link ¶
Changes (response)
{'finding': {'isSuppressed': 'boolean'}}

Gets information about a single audit finding. Properties include the reason for noncompliance, the severity of the issue, and when the audit that returned the finding was started.

See also: AWS API Documentation

Request Syntax

client.describe_audit_finding(
    findingId='string'
)
type findingId

string

param findingId

[REQUIRED]

A unique identifier for a single audit finding. You can use this identifier to apply mitigation actions to the finding.

rtype

dict

returns

Response Syntax

{
    'finding': {
        'findingId': 'string',
        'taskId': 'string',
        'checkName': 'string',
        'taskStartTime': datetime(2015, 1, 1),
        'findingTime': datetime(2015, 1, 1),
        'severity': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW',
        'nonCompliantResource': {
            'resourceType': 'DEVICE_CERTIFICATE'|'CA_CERTIFICATE'|'IOT_POLICY'|'COGNITO_IDENTITY_POOL'|'CLIENT_ID'|'ACCOUNT_SETTINGS'|'ROLE_ALIAS'|'IAM_ROLE',
            'resourceIdentifier': {
                'deviceCertificateId': 'string',
                'caCertificateId': 'string',
                'cognitoIdentityPoolId': 'string',
                'clientId': 'string',
                'policyVersionIdentifier': {
                    'policyName': 'string',
                    'policyVersionId': 'string'
                },
                'account': 'string',
                'iamRoleArn': 'string',
                'roleAliasArn': 'string'
            },
            'additionalInfo': {
                'string': 'string'
            }
        },
        'relatedResources': [
            {
                'resourceType': 'DEVICE_CERTIFICATE'|'CA_CERTIFICATE'|'IOT_POLICY'|'COGNITO_IDENTITY_POOL'|'CLIENT_ID'|'ACCOUNT_SETTINGS'|'ROLE_ALIAS'|'IAM_ROLE',
                'resourceIdentifier': {
                    'deviceCertificateId': 'string',
                    'caCertificateId': 'string',
                    'cognitoIdentityPoolId': 'string',
                    'clientId': 'string',
                    'policyVersionIdentifier': {
                        'policyName': 'string',
                        'policyVersionId': 'string'
                    },
                    'account': 'string',
                    'iamRoleArn': 'string',
                    'roleAliasArn': 'string'
                },
                'additionalInfo': {
                    'string': 'string'
                }
            },
        ],
        'reasonForNonCompliance': 'string',
        'reasonForNonComplianceCode': 'string',
        'isSuppressed': True|False
    }
}

Response Structure

  • (dict) --

    • finding (dict) --

      The findings (results) of the audit.

      • findingId (string) --

        A unique identifier for this set of audit findings. This identifier is used to apply mitigation tasks to one or more sets of findings.

      • taskId (string) --

        The ID of the audit that generated this result (finding).

      • checkName (string) --

        The audit check that generated this result.

      • taskStartTime (datetime) --

        The time the audit started.

      • findingTime (datetime) --

        The time the result (finding) was discovered.

      • severity (string) --

        The severity of the result (finding).

      • nonCompliantResource (dict) --

        The resource that was found to be noncompliant with the audit check.

        • resourceType (string) --

          The type of the noncompliant resource.

        • resourceIdentifier (dict) --

          Information that identifies the noncompliant resource.

          • deviceCertificateId (string) --

            The ID of the certificate attached to the resource.

          • caCertificateId (string) --

            The ID of the CA certificate used to authorize the certificate.

          • cognitoIdentityPoolId (string) --

            The ID of the Amazon Cognito identity pool.

          • clientId (string) --

            The client ID.

          • policyVersionIdentifier (dict) --

            The version of the policy associated with the resource.

            • policyName (string) --

              The name of the policy.

            • policyVersionId (string) --

              The ID of the version of the policy associated with the resource.

          • account (string) --

            The account with which the resource is associated.

          • iamRoleArn (string) --

            The ARN of the IAM role that has overly permissive actions.

          • roleAliasArn (string) --

            The ARN of the role alias that has overly permissive actions.

        • additionalInfo (dict) --

          Other information about the noncompliant resource.

          • (string) --

            • (string) --

      • relatedResources (list) --

        The list of related resources.

        • (dict) --

          Information about a related resource.

          • resourceType (string) --

            The type of resource.

          • resourceIdentifier (dict) --

            Information that identifies the resource.

            • deviceCertificateId (string) --

              The ID of the certificate attached to the resource.

            • caCertificateId (string) --

              The ID of the CA certificate used to authorize the certificate.

            • cognitoIdentityPoolId (string) --

              The ID of the Amazon Cognito identity pool.

            • clientId (string) --

              The client ID.

            • policyVersionIdentifier (dict) --

              The version of the policy associated with the resource.

              • policyName (string) --

                The name of the policy.

              • policyVersionId (string) --

                The ID of the version of the policy associated with the resource.

            • account (string) --

              The account with which the resource is associated.

            • iamRoleArn (string) --

              The ARN of the IAM role that has overly permissive actions.

            • roleAliasArn (string) --

              The ARN of the role alias that has overly permissive actions.

          • additionalInfo (dict) --

            Other information about the resource.

            • (string) --

              • (string) --

      • reasonForNonCompliance (string) --

        The reason the resource was noncompliant.

      • reasonForNonComplianceCode (string) --

        A code that indicates the reason that the resource was noncompliant.

      • isSuppressed (boolean) --

        Indicates whether the audit finding was suppressed or not during reporting.

DescribeAuditTask (updated) Link ¶
Changes (response)
{'auditDetails': {'suppressedNonCompliantResourcesCount': 'long'}}

Gets information about a Device Defender audit.

See also: AWS API Documentation

Request Syntax

client.describe_audit_task(
    taskId='string'
)
type taskId

string

param taskId

[REQUIRED]

The ID of the audit whose information you want to get.

rtype

dict

returns

Response Syntax

{
    'taskStatus': 'IN_PROGRESS'|'COMPLETED'|'FAILED'|'CANCELED',
    'taskType': 'ON_DEMAND_AUDIT_TASK'|'SCHEDULED_AUDIT_TASK',
    'taskStartTime': datetime(2015, 1, 1),
    'taskStatistics': {
        'totalChecks': 123,
        'inProgressChecks': 123,
        'waitingForDataCollectionChecks': 123,
        'compliantChecks': 123,
        'nonCompliantChecks': 123,
        'failedChecks': 123,
        'canceledChecks': 123
    },
    'scheduledAuditName': 'string',
    'auditDetails': {
        'string': {
            'checkRunStatus': 'IN_PROGRESS'|'WAITING_FOR_DATA_COLLECTION'|'CANCELED'|'COMPLETED_COMPLIANT'|'COMPLETED_NON_COMPLIANT'|'FAILED',
            'checkCompliant': True|False,
            'totalResourcesCount': 123,
            'nonCompliantResourcesCount': 123,
            'suppressedNonCompliantResourcesCount': 123,
            'errorCode': 'string',
            'message': 'string'
        }
    }
}

Response Structure

  • (dict) --

    • taskStatus (string) --

      The status of the audit: one of "IN_PROGRESS", "COMPLETED", "FAILED", or "CANCELED".

    • taskType (string) --

      The type of audit: "ON_DEMAND_AUDIT_TASK" or "SCHEDULED_AUDIT_TASK".

    • taskStartTime (datetime) --

      The time the audit started.

    • taskStatistics (dict) --

      Statistical information about the audit.

      • totalChecks (integer) --

        The number of checks in this audit.

      • inProgressChecks (integer) --

        The number of checks in progress.

      • waitingForDataCollectionChecks (integer) --

        The number of checks waiting for data collection.

      • compliantChecks (integer) --

        The number of checks that found compliant resources.

      • nonCompliantChecks (integer) --

        The number of checks that found noncompliant resources.

      • failedChecks (integer) --

        The number of checks.

      • canceledChecks (integer) --

        The number of checks that did not run because the audit was canceled.

    • scheduledAuditName (string) --

      The name of the scheduled audit (only if the audit was a scheduled audit).

    • auditDetails (dict) --

      Detailed information about each check performed during this audit.

      • (string) --

        An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

        • (dict) --

          Information about the audit check.

          • checkRunStatus (string) --

            The completion status of this check. One of "IN_PROGRESS", "WAITING_FOR_DATA_COLLECTION", "CANCELED", "COMPLETED_COMPLIANT", "COMPLETED_NON_COMPLIANT", or "FAILED".

          • checkCompliant (boolean) --

            True if the check is complete and found all resources compliant.

          • totalResourcesCount (integer) --

            The number of resources on which the check was performed.

          • nonCompliantResourcesCount (integer) --

            The number of resources that were found noncompliant during the check.

          • suppressedNonCompliantResourcesCount (integer) --

            Describes how many of the non-compliant resources created during the evaluation of an audit check were marked as suppressed.

          • errorCode (string) --

            The code of any error encountered when this check is performed during this audit. One of "INSUFFICIENT_PERMISSIONS" or "AUDIT_CHECK_DISABLED".

          • message (string) --

            The message associated with any error encountered when this check is performed during this audit.

ListAuditFindings (updated) Link ¶
Changes (request, response)
Request
{'listSuppressedFindings': 'boolean'}
Response
{'findings': {'isSuppressed': 'boolean'}}

Lists the findings (results) of a Device Defender audit or of the audits performed during a specified time period. (Findings are retained for 180 days.)

See also: AWS API Documentation

Request Syntax

client.list_audit_findings(
    taskId='string',
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string'
    },
    maxResults=123,
    nextToken='string',
    startTime=datetime(2015, 1, 1),
    endTime=datetime(2015, 1, 1),
    listSuppressedFindings=True|False
)
type taskId

string

param taskId

A filter to limit results to the audit with the specified ID. You must specify either the taskId or the startTime and endTime, but not both.

type checkName

string

param checkName

A filter to limit results to the findings for the specified audit check.

type resourceIdentifier

dict

param resourceIdentifier

Information identifying the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

type maxResults

integer

param maxResults

The maximum number of results to return at one time. The default is 25.

type nextToken

string

param nextToken

The token for the next set of results.

type startTime

datetime

param startTime

A filter to limit results to those found after the specified time. You must specify either the startTime and endTime or the taskId, but not both.

type endTime

datetime

param endTime

A filter to limit results to those found before the specified time. You must specify either the startTime and endTime or the taskId, but not both.

type listSuppressedFindings

boolean

param listSuppressedFindings

Boolean flag indicating whether only the suppressed findings or the unsuppressed findings should be listed. If this parameter isn't provided, the response will list both suppressed and unsuppressed findings.

rtype

dict

returns

Response Syntax

{
    'findings': [
        {
            'findingId': 'string',
            'taskId': 'string',
            'checkName': 'string',
            'taskStartTime': datetime(2015, 1, 1),
            'findingTime': datetime(2015, 1, 1),
            'severity': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW',
            'nonCompliantResource': {
                'resourceType': 'DEVICE_CERTIFICATE'|'CA_CERTIFICATE'|'IOT_POLICY'|'COGNITO_IDENTITY_POOL'|'CLIENT_ID'|'ACCOUNT_SETTINGS'|'ROLE_ALIAS'|'IAM_ROLE',
                'resourceIdentifier': {
                    'deviceCertificateId': 'string',
                    'caCertificateId': 'string',
                    'cognitoIdentityPoolId': 'string',
                    'clientId': 'string',
                    'policyVersionIdentifier': {
                        'policyName': 'string',
                        'policyVersionId': 'string'
                    },
                    'account': 'string',
                    'iamRoleArn': 'string',
                    'roleAliasArn': 'string'
                },
                'additionalInfo': {
                    'string': 'string'
                }
            },
            'relatedResources': [
                {
                    'resourceType': 'DEVICE_CERTIFICATE'|'CA_CERTIFICATE'|'IOT_POLICY'|'COGNITO_IDENTITY_POOL'|'CLIENT_ID'|'ACCOUNT_SETTINGS'|'ROLE_ALIAS'|'IAM_ROLE',
                    'resourceIdentifier': {
                        'deviceCertificateId': 'string',
                        'caCertificateId': 'string',
                        'cognitoIdentityPoolId': 'string',
                        'clientId': 'string',
                        'policyVersionIdentifier': {
                            'policyName': 'string',
                            'policyVersionId': 'string'
                        },
                        'account': 'string',
                        'iamRoleArn': 'string',
                        'roleAliasArn': 'string'
                    },
                    'additionalInfo': {
                        'string': 'string'
                    }
                },
            ],
            'reasonForNonCompliance': 'string',
            'reasonForNonComplianceCode': 'string',
            'isSuppressed': True|False
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • findings (list) --

      The findings (results) of the audit.

      • (dict) --

        The findings (results) of the audit.

        • findingId (string) --

          A unique identifier for this set of audit findings. This identifier is used to apply mitigation tasks to one or more sets of findings.

        • taskId (string) --

          The ID of the audit that generated this result (finding).

        • checkName (string) --

          The audit check that generated this result.

        • taskStartTime (datetime) --

          The time the audit started.

        • findingTime (datetime) --

          The time the result (finding) was discovered.

        • severity (string) --

          The severity of the result (finding).

        • nonCompliantResource (dict) --

          The resource that was found to be noncompliant with the audit check.

          • resourceType (string) --

            The type of the noncompliant resource.

          • resourceIdentifier (dict) --

            Information that identifies the noncompliant resource.

            • deviceCertificateId (string) --

              The ID of the certificate attached to the resource.

            • caCertificateId (string) --

              The ID of the CA certificate used to authorize the certificate.

            • cognitoIdentityPoolId (string) --

              The ID of the Amazon Cognito identity pool.

            • clientId (string) --

              The client ID.

            • policyVersionIdentifier (dict) --

              The version of the policy associated with the resource.

              • policyName (string) --

                The name of the policy.

              • policyVersionId (string) --

                The ID of the version of the policy associated with the resource.

            • account (string) --

              The account with which the resource is associated.

            • iamRoleArn (string) --

              The ARN of the IAM role that has overly permissive actions.

            • roleAliasArn (string) --

              The ARN of the role alias that has overly permissive actions.

          • additionalInfo (dict) --

            Other information about the noncompliant resource.

            • (string) --

              • (string) --

        • relatedResources (list) --

          The list of related resources.

          • (dict) --

            Information about a related resource.

            • resourceType (string) --

              The type of resource.

            • resourceIdentifier (dict) --

              Information that identifies the resource.

              • deviceCertificateId (string) --

                The ID of the certificate attached to the resource.

              • caCertificateId (string) --

                The ID of the CA certificate used to authorize the certificate.

              • cognitoIdentityPoolId (string) --

                The ID of the Amazon Cognito identity pool.

              • clientId (string) --

                The client ID.

              • policyVersionIdentifier (dict) --

                The version of the policy associated with the resource.

                • policyName (string) --

                  The name of the policy.

                • policyVersionId (string) --

                  The ID of the version of the policy associated with the resource.

              • account (string) --

                The account with which the resource is associated.

              • iamRoleArn (string) --

                The ARN of the IAM role that has overly permissive actions.

              • roleAliasArn (string) --

                The ARN of the role alias that has overly permissive actions.

            • additionalInfo (dict) --

              Other information about the resource.

              • (string) --

                • (string) --

        • reasonForNonCompliance (string) --

          The reason the resource was noncompliant.

        • reasonForNonComplianceCode (string) --

          A code that indicates the reason that the resource was noncompliant.

        • isSuppressed (boolean) --

          Indicates whether the audit finding was suppressed or not during reporting.

    • nextToken (string) --

      A token that can be used to retrieve the next set of results, or null if there are no additional results.