AWS IoT

2022/11/11 - AWS IoT - 1 new 7 updated api methods

Changes  This release add new api listRelatedResourcesForAuditFinding and new member type IssuerCertificates for Iot device device defender Audit.

ListRelatedResourcesForAuditFinding (new) Link ¶

The related resources of an Audit finding. The following resources can be returned from calling this API:

  • DEVICE_CERTIFICATE

  • CA_CERTIFICATE

  • IOT_POLICY

  • COGNITO_IDENTITY_POOL

  • CLIENT_ID

  • ACCOUNT_SETTINGS

  • ROLE_ALIAS

  • IAM_ROLE

  • ISSUER_CERTIFICATE

Note

This API is similar to DescribeAuditFinding's RelatedResources but provides pagination and is not limited to 10 resources. When calling DescribeAuditFinding for the intermediate CA revoked for active device certificates check, RelatedResources will not be populated. You must use this API, ListRelatedResourcesForAuditFinding, to list the certificates.

See also: AWS API Documentation

Request Syntax

client.list_related_resources_for_audit_finding(
    findingId='string',
    nextToken='string',
    maxResults=123
)
type findingId

string

param findingId

[REQUIRED]

The finding Id.

type nextToken

string

param nextToken

A token that can be used to retrieve the next set of results, or null if there are no additional results.

type maxResults

integer

param maxResults

The maximum number of results to return at one time.

rtype

dict

returns

Response Syntax

{
    'relatedResources': [
        {
            'resourceType': 'DEVICE_CERTIFICATE'|'CA_CERTIFICATE'|'IOT_POLICY'|'COGNITO_IDENTITY_POOL'|'CLIENT_ID'|'ACCOUNT_SETTINGS'|'ROLE_ALIAS'|'IAM_ROLE'|'ISSUER_CERTIFICATE',
            'resourceIdentifier': {
                'deviceCertificateId': 'string',
                'caCertificateId': 'string',
                'cognitoIdentityPoolId': 'string',
                'clientId': 'string',
                'policyVersionIdentifier': {
                    'policyName': 'string',
                    'policyVersionId': 'string'
                },
                'account': 'string',
                'iamRoleArn': 'string',
                'roleAliasArn': 'string',
                'issuerCertificateIdentifier': {
                    'issuerCertificateSubject': 'string',
                    'issuerId': 'string',
                    'issuerCertificateSerialNumber': 'string'
                },
                'deviceCertificateArn': 'string'
            },
            'additionalInfo': {
                'string': 'string'
            }
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • relatedResources (list) --

      The related resources.

      • (dict) --

        Information about a related resource.

        • resourceType (string) --

          The type of resource.

        • resourceIdentifier (dict) --

          Information that identifies the resource.

          • deviceCertificateId (string) --

            The ID of the certificate attached to the resource.

          • caCertificateId (string) --

            The ID of the CA certificate used to authorize the certificate.

          • cognitoIdentityPoolId (string) --

            The ID of the Amazon Cognito identity pool.

          • clientId (string) --

            The client ID.

          • policyVersionIdentifier (dict) --

            The version of the policy associated with the resource.

            • policyName (string) --

              The name of the policy.

            • policyVersionId (string) --

              The ID of the version of the policy associated with the resource.

          • account (string) --

            The account with which the resource is associated.

          • iamRoleArn (string) --

            The ARN of the IAM role that has overly permissive actions.

          • roleAliasArn (string) --

            The ARN of the role alias that has overly permissive actions.

          • issuerCertificateIdentifier (dict) --

            The issuer certificate identifier.

            • issuerCertificateSubject (string) --

              The subject of the issuer certificate.

            • issuerId (string) --

              The issuer ID.

            • issuerCertificateSerialNumber (string) --

              The issuer certificate serial number.

          • deviceCertificateArn (string) --

            The ARN of the identified device certificate.

        • additionalInfo (dict) --

          Other information about the resource.

          • (string) --

            • (string) --

    • nextToken (string) --

      A token that can be used to retrieve the next set of results, or null for the first API call.

CreateAuditSuppression (updated) Link ¶
Changes (request)
{'resourceIdentifier': {'deviceCertificateArn': 'string',
                        'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                        'issuerCertificateSubject': 'string',
                                                        'issuerId': 'string'}}}

Creates a Device Defender audit suppression.

Requires permission to access the CreateAuditSuppression action.

See also: AWS API Documentation

Request Syntax

client.create_audit_suppression(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string',
        'issuerCertificateIdentifier': {
            'issuerCertificateSubject': 'string',
            'issuerId': 'string',
            'issuerCertificateSerialNumber': 'string'
        },
        'deviceCertificateArn': 'string'
    },
    expirationDate=datetime(2015, 1, 1),
    suppressIndefinitely=True|False,
    description='string',
    clientRequestToken='string'
)
type checkName

string

param checkName

[REQUIRED]

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

[REQUIRED]

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

  • issuerCertificateIdentifier (dict) --

    The issuer certificate identifier.

    • issuerCertificateSubject (string) --

      The subject of the issuer certificate.

    • issuerId (string) --

      The issuer ID.

    • issuerCertificateSerialNumber (string) --

      The issuer certificate serial number.

  • deviceCertificateArn (string) --

    The ARN of the identified device certificate.

type expirationDate

datetime

param expirationDate

The epoch timestamp in seconds at which this suppression expires.

type suppressIndefinitely

boolean

param suppressIndefinitely

Indicates whether a suppression should exist indefinitely or not.

type description

string

param description

The description of the audit suppression.

type clientRequestToken

string

param clientRequestToken

[REQUIRED]

Each audit supression must have a unique client request token. If you try to create a new audit suppression with the same token as one that already exists, an exception occurs. If you omit this value, Amazon Web Services SDKs will automatically generate a unique client request.

This field is autopopulated if not provided.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

DeleteAuditSuppression (updated) Link ¶
Changes (request)
{'resourceIdentifier': {'deviceCertificateArn': 'string',
                        'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                        'issuerCertificateSubject': 'string',
                                                        'issuerId': 'string'}}}

Deletes a Device Defender audit suppression.

Requires permission to access the DeleteAuditSuppression action.

See also: AWS API Documentation

Request Syntax

client.delete_audit_suppression(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string',
        'issuerCertificateIdentifier': {
            'issuerCertificateSubject': 'string',
            'issuerId': 'string',
            'issuerCertificateSerialNumber': 'string'
        },
        'deviceCertificateArn': 'string'
    }
)
type checkName

string

param checkName

[REQUIRED]

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

[REQUIRED]

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

  • issuerCertificateIdentifier (dict) --

    The issuer certificate identifier.

    • issuerCertificateSubject (string) --

      The subject of the issuer certificate.

    • issuerId (string) --

      The issuer ID.

    • issuerCertificateSerialNumber (string) --

      The issuer certificate serial number.

  • deviceCertificateArn (string) --

    The ARN of the identified device certificate.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

DescribeAuditFinding (updated) Link ¶
Changes (response)
{'finding': {'nonCompliantResource': {'resourceIdentifier': {'deviceCertificateArn': 'string',
                                                             'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                                                             'issuerCertificateSubject': 'string',
                                                                                             'issuerId': 'string'}},
                                      'resourceType': {'ISSUER_CERTIFICATE'}},
             'relatedResources': {'resourceIdentifier': {'deviceCertificateArn': 'string',
                                                         'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                                                         'issuerCertificateSubject': 'string',
                                                                                         'issuerId': 'string'}},
                                  'resourceType': {'ISSUER_CERTIFICATE'}}}}

Gets information about a single audit finding. Properties include the reason for noncompliance, the severity of the issue, and the start time when the audit that returned the finding.

Requires permission to access the DescribeAuditFinding action.

See also: AWS API Documentation

Request Syntax

client.describe_audit_finding(
    findingId='string'
)
type findingId

string

param findingId

[REQUIRED]

A unique identifier for a single audit finding. You can use this identifier to apply mitigation actions to the finding.

rtype

dict

returns

Response Syntax

{
    'finding': {
        'findingId': 'string',
        'taskId': 'string',
        'checkName': 'string',
        'taskStartTime': datetime(2015, 1, 1),
        'findingTime': datetime(2015, 1, 1),
        'severity': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW',
        'nonCompliantResource': {
            'resourceType': 'DEVICE_CERTIFICATE'|'CA_CERTIFICATE'|'IOT_POLICY'|'COGNITO_IDENTITY_POOL'|'CLIENT_ID'|'ACCOUNT_SETTINGS'|'ROLE_ALIAS'|'IAM_ROLE'|'ISSUER_CERTIFICATE',
            'resourceIdentifier': {
                'deviceCertificateId': 'string',
                'caCertificateId': 'string',
                'cognitoIdentityPoolId': 'string',
                'clientId': 'string',
                'policyVersionIdentifier': {
                    'policyName': 'string',
                    'policyVersionId': 'string'
                },
                'account': 'string',
                'iamRoleArn': 'string',
                'roleAliasArn': 'string',
                'issuerCertificateIdentifier': {
                    'issuerCertificateSubject': 'string',
                    'issuerId': 'string',
                    'issuerCertificateSerialNumber': 'string'
                },
                'deviceCertificateArn': 'string'
            },
            'additionalInfo': {
                'string': 'string'
            }
        },
        'relatedResources': [
            {
                'resourceType': 'DEVICE_CERTIFICATE'|'CA_CERTIFICATE'|'IOT_POLICY'|'COGNITO_IDENTITY_POOL'|'CLIENT_ID'|'ACCOUNT_SETTINGS'|'ROLE_ALIAS'|'IAM_ROLE'|'ISSUER_CERTIFICATE',
                'resourceIdentifier': {
                    'deviceCertificateId': 'string',
                    'caCertificateId': 'string',
                    'cognitoIdentityPoolId': 'string',
                    'clientId': 'string',
                    'policyVersionIdentifier': {
                        'policyName': 'string',
                        'policyVersionId': 'string'
                    },
                    'account': 'string',
                    'iamRoleArn': 'string',
                    'roleAliasArn': 'string',
                    'issuerCertificateIdentifier': {
                        'issuerCertificateSubject': 'string',
                        'issuerId': 'string',
                        'issuerCertificateSerialNumber': 'string'
                    },
                    'deviceCertificateArn': 'string'
                },
                'additionalInfo': {
                    'string': 'string'
                }
            },
        ],
        'reasonForNonCompliance': 'string',
        'reasonForNonComplianceCode': 'string',
        'isSuppressed': True|False
    }
}

Response Structure

  • (dict) --

    • finding (dict) --

      The findings (results) of the audit.

      • findingId (string) --

        A unique identifier for this set of audit findings. This identifier is used to apply mitigation tasks to one or more sets of findings.

      • taskId (string) --

        The ID of the audit that generated this result (finding).

      • checkName (string) --

        The audit check that generated this result.

      • taskStartTime (datetime) --

        The time the audit started.

      • findingTime (datetime) --

        The time the result (finding) was discovered.

      • severity (string) --

        The severity of the result (finding).

      • nonCompliantResource (dict) --

        The resource that was found to be noncompliant with the audit check.

        • resourceType (string) --

          The type of the noncompliant resource.

        • resourceIdentifier (dict) --

          Information that identifies the noncompliant resource.

          • deviceCertificateId (string) --

            The ID of the certificate attached to the resource.

          • caCertificateId (string) --

            The ID of the CA certificate used to authorize the certificate.

          • cognitoIdentityPoolId (string) --

            The ID of the Amazon Cognito identity pool.

          • clientId (string) --

            The client ID.

          • policyVersionIdentifier (dict) --

            The version of the policy associated with the resource.

            • policyName (string) --

              The name of the policy.

            • policyVersionId (string) --

              The ID of the version of the policy associated with the resource.

          • account (string) --

            The account with which the resource is associated.

          • iamRoleArn (string) --

            The ARN of the IAM role that has overly permissive actions.

          • roleAliasArn (string) --

            The ARN of the role alias that has overly permissive actions.

          • issuerCertificateIdentifier (dict) --

            The issuer certificate identifier.

            • issuerCertificateSubject (string) --

              The subject of the issuer certificate.

            • issuerId (string) --

              The issuer ID.

            • issuerCertificateSerialNumber (string) --

              The issuer certificate serial number.

          • deviceCertificateArn (string) --

            The ARN of the identified device certificate.

        • additionalInfo (dict) --

          Other information about the noncompliant resource.

          • (string) --

            • (string) --

      • relatedResources (list) --

        The list of related resources.

        • (dict) --

          Information about a related resource.

          • resourceType (string) --

            The type of resource.

          • resourceIdentifier (dict) --

            Information that identifies the resource.

            • deviceCertificateId (string) --

              The ID of the certificate attached to the resource.

            • caCertificateId (string) --

              The ID of the CA certificate used to authorize the certificate.

            • cognitoIdentityPoolId (string) --

              The ID of the Amazon Cognito identity pool.

            • clientId (string) --

              The client ID.

            • policyVersionIdentifier (dict) --

              The version of the policy associated with the resource.

              • policyName (string) --

                The name of the policy.

              • policyVersionId (string) --

                The ID of the version of the policy associated with the resource.

            • account (string) --

              The account with which the resource is associated.

            • iamRoleArn (string) --

              The ARN of the IAM role that has overly permissive actions.

            • roleAliasArn (string) --

              The ARN of the role alias that has overly permissive actions.

            • issuerCertificateIdentifier (dict) --

              The issuer certificate identifier.

              • issuerCertificateSubject (string) --

                The subject of the issuer certificate.

              • issuerId (string) --

                The issuer ID.

              • issuerCertificateSerialNumber (string) --

                The issuer certificate serial number.

            • deviceCertificateArn (string) --

              The ARN of the identified device certificate.

          • additionalInfo (dict) --

            Other information about the resource.

            • (string) --

              • (string) --

      • reasonForNonCompliance (string) --

        The reason the resource was noncompliant.

      • reasonForNonComplianceCode (string) --

        A code that indicates the reason that the resource was noncompliant.

      • isSuppressed (boolean) --

        Indicates whether the audit finding was suppressed or not during reporting.

DescribeAuditSuppression (updated) Link ¶
Changes (both)
{'resourceIdentifier': {'deviceCertificateArn': 'string',
                        'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                        'issuerCertificateSubject': 'string',
                                                        'issuerId': 'string'}}}

Gets information about a Device Defender audit suppression.

See also: AWS API Documentation

Request Syntax

client.describe_audit_suppression(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string',
        'issuerCertificateIdentifier': {
            'issuerCertificateSubject': 'string',
            'issuerId': 'string',
            'issuerCertificateSerialNumber': 'string'
        },
        'deviceCertificateArn': 'string'
    }
)
type checkName

string

param checkName

[REQUIRED]

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

[REQUIRED]

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

  • issuerCertificateIdentifier (dict) --

    The issuer certificate identifier.

    • issuerCertificateSubject (string) --

      The subject of the issuer certificate.

    • issuerId (string) --

      The issuer ID.

    • issuerCertificateSerialNumber (string) --

      The issuer certificate serial number.

  • deviceCertificateArn (string) --

    The ARN of the identified device certificate.

rtype

dict

returns

Response Syntax

{
    'checkName': 'string',
    'resourceIdentifier': {
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string',
        'issuerCertificateIdentifier': {
            'issuerCertificateSubject': 'string',
            'issuerId': 'string',
            'issuerCertificateSerialNumber': 'string'
        },
        'deviceCertificateArn': 'string'
    },
    'expirationDate': datetime(2015, 1, 1),
    'suppressIndefinitely': True|False,
    'description': 'string'
}

Response Structure

  • (dict) --

    • checkName (string) --

      An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

    • resourceIdentifier (dict) --

      Information that identifies the noncompliant resource.

      • deviceCertificateId (string) --

        The ID of the certificate attached to the resource.

      • caCertificateId (string) --

        The ID of the CA certificate used to authorize the certificate.

      • cognitoIdentityPoolId (string) --

        The ID of the Amazon Cognito identity pool.

      • clientId (string) --

        The client ID.

      • policyVersionIdentifier (dict) --

        The version of the policy associated with the resource.

        • policyName (string) --

          The name of the policy.

        • policyVersionId (string) --

          The ID of the version of the policy associated with the resource.

      • account (string) --

        The account with which the resource is associated.

      • iamRoleArn (string) --

        The ARN of the IAM role that has overly permissive actions.

      • roleAliasArn (string) --

        The ARN of the role alias that has overly permissive actions.

      • issuerCertificateIdentifier (dict) --

        The issuer certificate identifier.

        • issuerCertificateSubject (string) --

          The subject of the issuer certificate.

        • issuerId (string) --

          The issuer ID.

        • issuerCertificateSerialNumber (string) --

          The issuer certificate serial number.

      • deviceCertificateArn (string) --

        The ARN of the identified device certificate.

    • expirationDate (datetime) --

      The epoch timestamp in seconds at which this suppression expires.

    • suppressIndefinitely (boolean) --

      Indicates whether a suppression should exist indefinitely or not.

    • description (string) --

      The description of the audit suppression.

ListAuditFindings (updated) Link ¶
Changes (request, response)
Request
{'resourceIdentifier': {'deviceCertificateArn': 'string',
                        'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                        'issuerCertificateSubject': 'string',
                                                        'issuerId': 'string'}}}
Response
{'findings': {'nonCompliantResource': {'resourceIdentifier': {'deviceCertificateArn': 'string',
                                                              'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                                                              'issuerCertificateSubject': 'string',
                                                                                              'issuerId': 'string'}},
                                       'resourceType': {'ISSUER_CERTIFICATE'}},
              'relatedResources': {'resourceIdentifier': {'deviceCertificateArn': 'string',
                                                          'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                                                          'issuerCertificateSubject': 'string',
                                                                                          'issuerId': 'string'}},
                                   'resourceType': {'ISSUER_CERTIFICATE'}}}}

Lists the findings (results) of a Device Defender audit or of the audits performed during a specified time period. (Findings are retained for 90 days.)

Requires permission to access the ListAuditFindings action.

See also: AWS API Documentation

Request Syntax

client.list_audit_findings(
    taskId='string',
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string',
        'issuerCertificateIdentifier': {
            'issuerCertificateSubject': 'string',
            'issuerId': 'string',
            'issuerCertificateSerialNumber': 'string'
        },
        'deviceCertificateArn': 'string'
    },
    maxResults=123,
    nextToken='string',
    startTime=datetime(2015, 1, 1),
    endTime=datetime(2015, 1, 1),
    listSuppressedFindings=True|False
)
type taskId

string

param taskId

A filter to limit results to the audit with the specified ID. You must specify either the taskId or the startTime and endTime, but not both.

type checkName

string

param checkName

A filter to limit results to the findings for the specified audit check.

type resourceIdentifier

dict

param resourceIdentifier

Information identifying the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

  • issuerCertificateIdentifier (dict) --

    The issuer certificate identifier.

    • issuerCertificateSubject (string) --

      The subject of the issuer certificate.

    • issuerId (string) --

      The issuer ID.

    • issuerCertificateSerialNumber (string) --

      The issuer certificate serial number.

  • deviceCertificateArn (string) --

    The ARN of the identified device certificate.

type maxResults

integer

param maxResults

The maximum number of results to return at one time. The default is 25.

type nextToken

string

param nextToken

The token for the next set of results.

type startTime

datetime

param startTime

A filter to limit results to those found after the specified time. You must specify either the startTime and endTime or the taskId, but not both.

type endTime

datetime

param endTime

A filter to limit results to those found before the specified time. You must specify either the startTime and endTime or the taskId, but not both.

type listSuppressedFindings

boolean

param listSuppressedFindings

Boolean flag indicating whether only the suppressed findings or the unsuppressed findings should be listed. If this parameter isn't provided, the response will list both suppressed and unsuppressed findings.

rtype

dict

returns

Response Syntax

{
    'findings': [
        {
            'findingId': 'string',
            'taskId': 'string',
            'checkName': 'string',
            'taskStartTime': datetime(2015, 1, 1),
            'findingTime': datetime(2015, 1, 1),
            'severity': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW',
            'nonCompliantResource': {
                'resourceType': 'DEVICE_CERTIFICATE'|'CA_CERTIFICATE'|'IOT_POLICY'|'COGNITO_IDENTITY_POOL'|'CLIENT_ID'|'ACCOUNT_SETTINGS'|'ROLE_ALIAS'|'IAM_ROLE'|'ISSUER_CERTIFICATE',
                'resourceIdentifier': {
                    'deviceCertificateId': 'string',
                    'caCertificateId': 'string',
                    'cognitoIdentityPoolId': 'string',
                    'clientId': 'string',
                    'policyVersionIdentifier': {
                        'policyName': 'string',
                        'policyVersionId': 'string'
                    },
                    'account': 'string',
                    'iamRoleArn': 'string',
                    'roleAliasArn': 'string',
                    'issuerCertificateIdentifier': {
                        'issuerCertificateSubject': 'string',
                        'issuerId': 'string',
                        'issuerCertificateSerialNumber': 'string'
                    },
                    'deviceCertificateArn': 'string'
                },
                'additionalInfo': {
                    'string': 'string'
                }
            },
            'relatedResources': [
                {
                    'resourceType': 'DEVICE_CERTIFICATE'|'CA_CERTIFICATE'|'IOT_POLICY'|'COGNITO_IDENTITY_POOL'|'CLIENT_ID'|'ACCOUNT_SETTINGS'|'ROLE_ALIAS'|'IAM_ROLE'|'ISSUER_CERTIFICATE',
                    'resourceIdentifier': {
                        'deviceCertificateId': 'string',
                        'caCertificateId': 'string',
                        'cognitoIdentityPoolId': 'string',
                        'clientId': 'string',
                        'policyVersionIdentifier': {
                            'policyName': 'string',
                            'policyVersionId': 'string'
                        },
                        'account': 'string',
                        'iamRoleArn': 'string',
                        'roleAliasArn': 'string',
                        'issuerCertificateIdentifier': {
                            'issuerCertificateSubject': 'string',
                            'issuerId': 'string',
                            'issuerCertificateSerialNumber': 'string'
                        },
                        'deviceCertificateArn': 'string'
                    },
                    'additionalInfo': {
                        'string': 'string'
                    }
                },
            ],
            'reasonForNonCompliance': 'string',
            'reasonForNonComplianceCode': 'string',
            'isSuppressed': True|False
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • findings (list) --

      The findings (results) of the audit.

      • (dict) --

        The findings (results) of the audit.

        • findingId (string) --

          A unique identifier for this set of audit findings. This identifier is used to apply mitigation tasks to one or more sets of findings.

        • taskId (string) --

          The ID of the audit that generated this result (finding).

        • checkName (string) --

          The audit check that generated this result.

        • taskStartTime (datetime) --

          The time the audit started.

        • findingTime (datetime) --

          The time the result (finding) was discovered.

        • severity (string) --

          The severity of the result (finding).

        • nonCompliantResource (dict) --

          The resource that was found to be noncompliant with the audit check.

          • resourceType (string) --

            The type of the noncompliant resource.

          • resourceIdentifier (dict) --

            Information that identifies the noncompliant resource.

            • deviceCertificateId (string) --

              The ID of the certificate attached to the resource.

            • caCertificateId (string) --

              The ID of the CA certificate used to authorize the certificate.

            • cognitoIdentityPoolId (string) --

              The ID of the Amazon Cognito identity pool.

            • clientId (string) --

              The client ID.

            • policyVersionIdentifier (dict) --

              The version of the policy associated with the resource.

              • policyName (string) --

                The name of the policy.

              • policyVersionId (string) --

                The ID of the version of the policy associated with the resource.

            • account (string) --

              The account with which the resource is associated.

            • iamRoleArn (string) --

              The ARN of the IAM role that has overly permissive actions.

            • roleAliasArn (string) --

              The ARN of the role alias that has overly permissive actions.

            • issuerCertificateIdentifier (dict) --

              The issuer certificate identifier.

              • issuerCertificateSubject (string) --

                The subject of the issuer certificate.

              • issuerId (string) --

                The issuer ID.

              • issuerCertificateSerialNumber (string) --

                The issuer certificate serial number.

            • deviceCertificateArn (string) --

              The ARN of the identified device certificate.

          • additionalInfo (dict) --

            Other information about the noncompliant resource.

            • (string) --

              • (string) --

        • relatedResources (list) --

          The list of related resources.

          • (dict) --

            Information about a related resource.

            • resourceType (string) --

              The type of resource.

            • resourceIdentifier (dict) --

              Information that identifies the resource.

              • deviceCertificateId (string) --

                The ID of the certificate attached to the resource.

              • caCertificateId (string) --

                The ID of the CA certificate used to authorize the certificate.

              • cognitoIdentityPoolId (string) --

                The ID of the Amazon Cognito identity pool.

              • clientId (string) --

                The client ID.

              • policyVersionIdentifier (dict) --

                The version of the policy associated with the resource.

                • policyName (string) --

                  The name of the policy.

                • policyVersionId (string) --

                  The ID of the version of the policy associated with the resource.

              • account (string) --

                The account with which the resource is associated.

              • iamRoleArn (string) --

                The ARN of the IAM role that has overly permissive actions.

              • roleAliasArn (string) --

                The ARN of the role alias that has overly permissive actions.

              • issuerCertificateIdentifier (dict) --

                The issuer certificate identifier.

                • issuerCertificateSubject (string) --

                  The subject of the issuer certificate.

                • issuerId (string) --

                  The issuer ID.

                • issuerCertificateSerialNumber (string) --

                  The issuer certificate serial number.

              • deviceCertificateArn (string) --

                The ARN of the identified device certificate.

            • additionalInfo (dict) --

              Other information about the resource.

              • (string) --

                • (string) --

        • reasonForNonCompliance (string) --

          The reason the resource was noncompliant.

        • reasonForNonComplianceCode (string) --

          A code that indicates the reason that the resource was noncompliant.

        • isSuppressed (boolean) --

          Indicates whether the audit finding was suppressed or not during reporting.

    • nextToken (string) --

      A token that can be used to retrieve the next set of results, or null if there are no additional results.

ListAuditSuppressions (updated) Link ¶
Changes (request, response)
Request
{'resourceIdentifier': {'deviceCertificateArn': 'string',
                        'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                        'issuerCertificateSubject': 'string',
                                                        'issuerId': 'string'}}}
Response
{'suppressions': {'resourceIdentifier': {'deviceCertificateArn': 'string',
                                         'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                                         'issuerCertificateSubject': 'string',
                                                                         'issuerId': 'string'}}}}

Lists your Device Defender audit listings.

Requires permission to access the ListAuditSuppressions action.

See also: AWS API Documentation

Request Syntax

client.list_audit_suppressions(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string',
        'issuerCertificateIdentifier': {
            'issuerCertificateSubject': 'string',
            'issuerId': 'string',
            'issuerCertificateSerialNumber': 'string'
        },
        'deviceCertificateArn': 'string'
    },
    ascendingOrder=True|False,
    nextToken='string',
    maxResults=123
)
type checkName

string

param checkName

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

  • issuerCertificateIdentifier (dict) --

    The issuer certificate identifier.

    • issuerCertificateSubject (string) --

      The subject of the issuer certificate.

    • issuerId (string) --

      The issuer ID.

    • issuerCertificateSerialNumber (string) --

      The issuer certificate serial number.

  • deviceCertificateArn (string) --

    The ARN of the identified device certificate.

type ascendingOrder

boolean

param ascendingOrder

Determines whether suppressions are listed in ascending order by expiration date or not. If parameter isn't provided, ascendingOrder=true .

type nextToken

string

param nextToken

The token for the next set of results.

type maxResults

integer

param maxResults

The maximum number of results to return at one time. The default is 25.

rtype

dict

returns

Response Syntax

{
    'suppressions': [
        {
            'checkName': 'string',
            'resourceIdentifier': {
                'deviceCertificateId': 'string',
                'caCertificateId': 'string',
                'cognitoIdentityPoolId': 'string',
                'clientId': 'string',
                'policyVersionIdentifier': {
                    'policyName': 'string',
                    'policyVersionId': 'string'
                },
                'account': 'string',
                'iamRoleArn': 'string',
                'roleAliasArn': 'string',
                'issuerCertificateIdentifier': {
                    'issuerCertificateSubject': 'string',
                    'issuerId': 'string',
                    'issuerCertificateSerialNumber': 'string'
                },
                'deviceCertificateArn': 'string'
            },
            'expirationDate': datetime(2015, 1, 1),
            'suppressIndefinitely': True|False,
            'description': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • suppressions (list) --

      List of audit suppressions.

      • (dict) --

        Filters out specific findings of a Device Defender audit.

        • checkName (string) --

          An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

        • resourceIdentifier (dict) --

          Information that identifies the noncompliant resource.

          • deviceCertificateId (string) --

            The ID of the certificate attached to the resource.

          • caCertificateId (string) --

            The ID of the CA certificate used to authorize the certificate.

          • cognitoIdentityPoolId (string) --

            The ID of the Amazon Cognito identity pool.

          • clientId (string) --

            The client ID.

          • policyVersionIdentifier (dict) --

            The version of the policy associated with the resource.

            • policyName (string) --

              The name of the policy.

            • policyVersionId (string) --

              The ID of the version of the policy associated with the resource.

          • account (string) --

            The account with which the resource is associated.

          • iamRoleArn (string) --

            The ARN of the IAM role that has overly permissive actions.

          • roleAliasArn (string) --

            The ARN of the role alias that has overly permissive actions.

          • issuerCertificateIdentifier (dict) --

            The issuer certificate identifier.

            • issuerCertificateSubject (string) --

              The subject of the issuer certificate.

            • issuerId (string) --

              The issuer ID.

            • issuerCertificateSerialNumber (string) --

              The issuer certificate serial number.

          • deviceCertificateArn (string) --

            The ARN of the identified device certificate.

        • expirationDate (datetime) --

          The expiration date (epoch timestamp in seconds) that you want the suppression to adhere to.

        • suppressIndefinitely (boolean) --

          Indicates whether a suppression should exist indefinitely or not.

        • description (string) --

          The description of the audit suppression.

    • nextToken (string) --

      A token that can be used to retrieve the next set of results, or null if there are no additional results.

UpdateAuditSuppression (updated) Link ¶
Changes (request)
{'resourceIdentifier': {'deviceCertificateArn': 'string',
                        'issuerCertificateIdentifier': {'issuerCertificateSerialNumber': 'string',
                                                        'issuerCertificateSubject': 'string',
                                                        'issuerId': 'string'}}}

Updates a Device Defender audit suppression.

See also: AWS API Documentation

Request Syntax

client.update_audit_suppression(
    checkName='string',
    resourceIdentifier={
        'deviceCertificateId': 'string',
        'caCertificateId': 'string',
        'cognitoIdentityPoolId': 'string',
        'clientId': 'string',
        'policyVersionIdentifier': {
            'policyName': 'string',
            'policyVersionId': 'string'
        },
        'account': 'string',
        'iamRoleArn': 'string',
        'roleAliasArn': 'string',
        'issuerCertificateIdentifier': {
            'issuerCertificateSubject': 'string',
            'issuerId': 'string',
            'issuerCertificateSerialNumber': 'string'
        },
        'deviceCertificateArn': 'string'
    },
    expirationDate=datetime(2015, 1, 1),
    suppressIndefinitely=True|False,
    description='string'
)
type checkName

string

param checkName

[REQUIRED]

An audit check name. Checks must be enabled for your account. (Use DescribeAccountAuditConfiguration to see the list of all checks, including those that are enabled or use UpdateAccountAuditConfiguration to select which checks are enabled.)

type resourceIdentifier

dict

param resourceIdentifier

[REQUIRED]

Information that identifies the noncompliant resource.

  • deviceCertificateId (string) --

    The ID of the certificate attached to the resource.

  • caCertificateId (string) --

    The ID of the CA certificate used to authorize the certificate.

  • cognitoIdentityPoolId (string) --

    The ID of the Amazon Cognito identity pool.

  • clientId (string) --

    The client ID.

  • policyVersionIdentifier (dict) --

    The version of the policy associated with the resource.

    • policyName (string) --

      The name of the policy.

    • policyVersionId (string) --

      The ID of the version of the policy associated with the resource.

  • account (string) --

    The account with which the resource is associated.

  • iamRoleArn (string) --

    The ARN of the IAM role that has overly permissive actions.

  • roleAliasArn (string) --

    The ARN of the role alias that has overly permissive actions.

  • issuerCertificateIdentifier (dict) --

    The issuer certificate identifier.

    • issuerCertificateSubject (string) --

      The subject of the issuer certificate.

    • issuerId (string) --

      The issuer ID.

    • issuerCertificateSerialNumber (string) --

      The issuer certificate serial number.

  • deviceCertificateArn (string) --

    The ARN of the identified device certificate.

type expirationDate

datetime

param expirationDate

The expiration date (epoch timestamp in seconds) that you want the suppression to adhere to.

type suppressIndefinitely

boolean

param suppressIndefinitely

Indicates whether a suppression should exist indefinitely or not.

type description

string

param description

The description of the audit suppression.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --