AWS CLI Command Reference

[ aws . application-signals ]

list-audit-findings

Description

Returns a list of audit findings that provide automated analysis of service behavior and root cause analysis. These findings help identify the most significant observations about your services, including performance issues, anomalies, and potential problems. The findings are generated using heuristic algorithms based on established troubleshooting patterns.

See also: AWS API Documentation

Synopsis

  list-audit-findings
--start-time <value>
--end-time <value>
[--auditors <value>]
--audit-targets <value>
[--next-token <value>]
[--max-results <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--start-time (timestamp) [required]

The start of the time period to retrieve audit findings for. When used in a raw HTTP Query API, it is formatted as epoch time in seconds. For example, 1698778057

--end-time (timestamp) [required]

The end of the time period to retrieve audit findings for. When used in a raw HTTP Query API, it is formatted as epoch time in seconds. For example, 1698778057

--auditors (list)

A list of auditor names to filter the findings by. Only findings generated by the specified auditors will be returned.

The following auditors are available for configuration:

  • slo - SloAuditor: Identifies SLO violations and detects breached thresholds during the Assessment phase.
  • operation_metric - OperationMetricAuditor: Detects anomalies in service operation metrics from Application Signals RED metrics during the Assessment phase
  • service_quota - ServiceQuotaAuditor: Monitors resource utilization against service quotas during the Assessment phase
  • trace - TraceAuditor: Performs deep-dive analysis of distributed traces, correlating traces with breached SLOs or abnormal RED metrics during the Analysis phase
  • dependency_metric - CriticalPathAuditor: Analyzes service dependency impacts and maps dependency relationships from Application Signals RED metrics during the Analysis phase
  • top_contributor - TopContributorAuditor: Identifies infrastructure-level contributors to issues by analyzing EMF logs of Application Signals RED metrics during the Analysis phase
  • log - LogAuditor: Extracts insights from application logs, categorizing error types and ranking severity by frequency during the Analysis phase

Note

InitAuditor and Summarizer auditors are not configurable as they are automatically triggered during the audit process.

(string)

Syntax:

"string" "string" ...

--audit-targets (list) [required]

A list of audit targets to filter the findings by. You can specify services, SLOs, or service operations to limit the audit findings to specific entities.

Constraints:

  • min: 1
  • max: 10

(structure)

A structure that specifies the target entity for audit analysis, such as a service , SLO , or service_operation .

Type -> (string) [required]

The type of entity being audited, such as Service , SLO , or ServiceOperation .

Data -> (tagged union structure) [required]

The specific data identifying the audit target entity.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: Service, Slo, ServiceOperation.

Service -> (structure)

Service entity information when the audit target is a service.

Type -> (string)

The type of the service entity.

Name -> (string)

The name of the service.

Environment -> (string)

The environment where the service is deployed.

AwsAccountId -> (string)

The Amazon Web Services account ID where the service is located. Provide this value only for cross-account access.

Slo -> (structure)

SLO entity information when the audit target is a service level objective.

SloName -> (string)

The name of the service level objective.

SloArn -> (string)

The ARN of the service level objective. The SLO must be provided with ARN for cross-account access.

ServiceOperation -> (structure)

Service operation entity information when the audit target is a specific service operation.

Service -> (structure)

The service entity that contains this operation.

Type -> (string)

The type of the service entity.

Name -> (string)

The name of the service.

Environment -> (string)

The environment where the service is deployed.

AwsAccountId -> (string)

The Amazon Web Services account ID where the service is located. Provide this value only for cross-account access.

Operation -> (string)

The name of the operation.

MetricType -> (string)

The type of metric associated with this service operation.

JSON Syntax:

[
  {
    "Type": "string",
    "Data": {
      "Service": {
        "Type": "string",
        "Name": "string",
        "Environment": "string",
        "AwsAccountId": "string"
      },
      "Slo": {
        "SloName": "string",
        "SloArn": "string"
      },
      "ServiceOperation": {
        "Service": {
          "Type": "string",
          "Name": "string",
          "Environment": "string",
          "AwsAccountId": "string"
        },
        "Operation": "string",
        "MetricType": "string"
      }
    }
  }
  ...
]

--next-token (string)

Include this value, if it was returned by the previous operation, to get the next set of audit findings.

--max-results (integer)

The maximum number of audit findings to return in one operation. If you omit this parameter, the default of 10 is used.

Constraints:

  • min: 1
  • max: 10

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Output

AuditFindings -> (list)

An array of structures, where each structure contains information about one audit finding, including the auditor results, severity, and associated metric and dependency graphs.

Constraints:

  • min: 0
  • max: 10

(structure)

A structure that contains information about an audit finding, which represents an automated analysis result about service behavior, performance issues, or potential problems identified through heuristic algorithms.

KeyAttributes -> (map) [required]

The key attributes that identify the service or entity this audit finding relates to. This is a string-to-string map that includes fields like Type, Name, and Environment.

Constraints:

  • min: 1
  • max: 4

key -> (string)

Constraints:

  • pattern: [a-zA-Z]{1,50}

value -> (string)

Constraints:

  • min: 1
  • max: 1024
  • pattern: [ -~]*[!-~]+[ -~]*

AuditorResults -> (list)

An array of auditor results that contain the specific findings, descriptions, and severity levels identified by different auditing algorithms.

Constraints:

  • min: 0
  • max: 5

(structure)

A structure that contains the result of an automated audit analysis, including the auditor name, description of findings, and severity level.

Auditor -> (string)

The name of the auditor algorithm that generated this result.

Description -> (string)

A detailed description of the audit finding, explaining what was observed and potential implications.

Constraints:

  • min: 0
  • max: 10240

Severity -> (string)

The severity level of this audit finding, indicating the importance and potential impact of the issue.

Possible values:

  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
  • NONE

Operation -> (string)

The name of the operation associated with this audit finding, if the finding is specific to a particular service operation.

MetricGraph -> (structure)

A structure containing metric data queries and time range information that provides context for the audit finding through relevant performance metrics.

MetricDataQueries -> (list)

An array of metric data queries that define the metrics to be retrieved and analyzed as part of the audit finding context.

(structure)

Use this structure to define a metric or metric math expression that you want to use as for a service level objective.

Each MetricDataQuery in the MetricDataQueries array specifies either a metric to retrieve, or a metric math expression to be performed on retrieved metrics. A single MetricDataQueries array can include as many as 20 MetricDataQuery structures in the array. The 20 structures can include as many as 10 structures that contain a MetricStat parameter to retrieve a metric, and as many as 10 structures that contain the Expression parameter to perform a math expression. Of those Expression structures, exactly one must have true as the value for ReturnData . The result of this expression used for the SLO.

For more information about metric math expressions, see CloudWatchUse metric math .

Within each MetricDataQuery object, you must specify either Expression or MetricStat but not both.

Id -> (string) [required]

A short name used to tie this object to the results in the response. This Id must be unique within a MetricDataQueries array. If you are performing math expressions on this set of data, this name represents that data and can serve as a variable in the metric math expression. The valid characters are letters, numbers, and underscore. The first character must be a lowercase letter.

Constraints:

  • min: 1
  • max: 255

MetricStat -> (structure)

A metric to be used directly for the SLO, or to be used in the math expression that will be used for the SLO.

Within one MetricDataQuery object, you must specify either Expression or MetricStat but not both.

Metric -> (structure) [required]

The metric to use as the service level indicator, including the metric name, namespace, and dimensions.

Namespace -> (string)

The namespace of the metric. For more information, see Namespaces .

Constraints:

  • min: 1
  • max: 255
  • pattern: .*[^:].*

MetricName -> (string)

The name of the metric to use.

Constraints:

  • min: 1
  • max: 255

Dimensions -> (list)

An array of one or more dimensions to use to define the metric that you want to use. For more information, see Dimensions .

Constraints:

  • min: 0
  • max: 30

(structure)

A dimension is a name/value pair that is part of the identity of a metric. Because dimensions are part of the unique identifier for a metric, whenever you add a unique name/value pair to one of your metrics, you are creating a new variation of that metric. For example, many Amazon EC2 metrics publish InstanceId as a dimension name, and the actual instance ID as the value for that dimension.

You can assign up to 30 dimensions to a metric.

Name -> (string) [required]

The name of the dimension. Dimension names must contain only ASCII characters, must include at least one non-whitespace character, and cannot start with a colon (: ). ASCII control characters are not supported as part of dimension names.

Constraints:

  • min: 1
  • max: 255

Value -> (string) [required]

The value of the dimension. Dimension values must contain only ASCII characters and must include at least one non-whitespace character. ASCII control characters are not supported as part of dimension values.

Constraints:

  • min: 1
  • max: 1024

Period -> (integer) [required]

The granularity, in seconds, to be used for the metric. For metrics with regular resolution, a period can be as short as one minute (60 seconds) and must be a multiple of 60. For high-resolution metrics that are collected at intervals of less than one minute, the period can be 1, 5, 10, 30, 60, or any multiple of 60. High-resolution metrics are those metrics stored by a PutMetricData call that includes a StorageResolution of 1 second.

Constraints:

  • min: 1

Stat -> (string) [required]

The statistic to use for comparison to the threshold. It can be any CloudWatch statistic or extended statistic. For more information about statistics, see CloudWatch statistics definitions .

Unit -> (string)

If you omit Unit then all data that was collected with any unit is returned, along with the corresponding units that were specified when the data was reported to CloudWatch. If you specify a unit, the operation returns only data that was collected with that unit specified. If you specify a unit that does not match the data collected, the results of the operation are null. CloudWatch does not perform unit conversions.

Possible values:

  • Microseconds
  • Milliseconds
  • Seconds
  • Bytes
  • Kilobytes
  • Megabytes
  • Gigabytes
  • Terabytes
  • Bits
  • Kilobits
  • Megabits
  • Gigabits
  • Terabits
  • Percent
  • Count
  • Bytes/Second
  • Kilobytes/Second
  • Megabytes/Second
  • Gigabytes/Second
  • Terabytes/Second
  • Bits/Second
  • Kilobits/Second
  • Megabits/Second
  • Gigabits/Second
  • Terabits/Second
  • Count/Second
  • None

Expression -> (string)

This field can contain a metric math expression to be performed on the other metrics that you are retrieving within this MetricDataQueries structure.

A math expression can use the Id of the other metrics or queries to refer to those metrics, and can also use the Id of other expressions to use the result of those expressions. For more information about metric math expressions, see Metric Math Syntax and Functions in the Amazon CloudWatch User Guide .

Within each MetricDataQuery object, you must specify either Expression or MetricStat but not both.

Constraints:

  • min: 1
  • max: 2048

Label -> (string)

A human-readable label for this metric or expression. This is especially useful if this is an expression, so that you know what the value represents. If the metric or expression is shown in a CloudWatch dashboard widget, the label is shown. If Label is omitted, CloudWatch generates a default.

You can put dynamic expressions into a label, so that it is more descriptive. For more information, see Using Dynamic Labels .

ReturnData -> (boolean)

Use this only if you are using a metric math expression for the SLO. Specify true for ReturnData for only the one expression result to use as the alarm. For all other metrics and expressions in the same CreateServiceLevelObjective operation, specify ReturnData as false .

Period -> (integer)

The granularity, in seconds, of the returned data points for this metric. For metrics with regular resolution, a period can be as short as one minute (60 seconds) and must be a multiple of 60. For high-resolution metrics that are collected at intervals of less than one minute, the period can be 1, 5, 10, 30, 60, or any multiple of 60. High-resolution metrics are those metrics stored by a PutMetricData call that includes a StorageResolution of 1 second.

If the StartTime parameter specifies a time stamp that is greater than 3 hours ago, you must specify the period as follows or no data points in that time range is returned:

  • Start time between 3 hours and 15 days ago - Use a multiple of 60 seconds (1 minute).
  • Start time between 15 and 63 days ago - Use a multiple of 300 seconds (5 minutes).
  • Start time greater than 63 days ago - Use a multiple of 3600 seconds (1 hour).

Constraints:

  • min: 1

AccountId -> (string)

The ID of the account where this metric is located. If you are performing this operation in a monitoring account, use this to specify which source account to retrieve this metric from.

Constraints:

  • min: 1
  • max: 255

StartTime -> (timestamp)

The start time for the metric data included in this graph. When used in a raw HTTP Query API, it is formatted as epoch time in seconds.

EndTime -> (timestamp)

The end time for the metric data included in this graph. When used in a raw HTTP Query API, it is formatted as epoch time in seconds.

DependencyGraph -> (structure)

A structure containing nodes and edges that represent the dependency relationships relevant to this audit finding, helping to understand the context and potential impact.

Nodes -> (list)

An array of nodes representing the services, resources, or other entities in the dependency graph.

Constraints:

  • min: 0
  • max: 4

(structure)

A structure that represents a node in a dependency graph, containing information about a service, resource, or other entity and its characteristics.

KeyAttributes -> (map) [required]

The key attributes that identify this node, including Type, Name, and Environment information.

Constraints:

  • min: 1
  • max: 4

key -> (string)

Constraints:

  • pattern: [a-zA-Z]{1,50}

value -> (string)

Constraints:

  • min: 1
  • max: 1024
  • pattern: [ -~]*[!-~]+[ -~]*

Name -> (string) [required]

The name of the entity represented by this node.

NodeId -> (string) [required]

A unique identifier for this node within the dependency graph.

Operation -> (string)

The operation associated with this node, if applicable.

Type -> (string)

The type of entity represented by this node, such as Service or Resource .

Duration -> (double)

The duration or processing time associated with this node, if applicable.

Status -> (string)

The status of the entity represented by this node.

Edges -> (list)

An array of edges representing the connections and relationships between the nodes in the dependency graph.

(structure)

A structure that represents a connection between two nodes in a dependency graph, showing the relationship and characteristics of the connection.

SourceNodeId -> (string)

The identifier of the source node in this edge connection.

DestinationNodeId -> (string)

The identifier of the destination node in this edge connection.

Duration -> (double)

The duration or latency associated with this connection, if applicable.

ConnectionType -> (string)

The type of connection between the nodes, indicating the nature of the relationship.

Possible values:

  • INDIRECT
  • DIRECT

Type -> (string)

The type of audit finding.

NextToken -> (string)

Include this value in your next use of this API to get the next set of audit findings.
© Copyright 2025, Amazon Web Services. Created using Sphinx.