Table Of Contents


User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . iot ]



Starts a task that applies a set of mitigation actions to the specified target.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


--task-id <value>
--target <value>
--audit-check-to-actions-mapping <value>
[--client-request-token <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--task-id (string)

A unique identifier for the task. You can use this identifier to check the status of the task or to cancel it.

--target (structure)

Specifies the audit findings to which the mitigation actions are applied. You can apply them to a type of audit check, to all findings from an audit, or to a speecific set of findings.

Shorthand Syntax:


JSON Syntax:

  "auditTaskId": "string",
  "findingIds": ["string", ...],
  "auditCheckToReasonCodeFilter": {"string": ["string", ...]

--audit-check-to-actions-mapping (map)

For an audit check, specifies which mitigation actions to apply. Those actions must be defined in your AWS account.

Shorthand Syntax:


JSON Syntax:

{"string": ["string", ...]

--client-request-token (string)

Each audit mitigation task must have a unique client request token. If you try to start a new task with the same token as a task that already exists, an exception occurs. If you omit this value, a unique client request token is generated automatically.

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


To apply a mitigation action to the findings from an audit

The following start-audit-mitigation-actions-task example applies the ResetPolicyVersionAction action (which clears the policy) to the specified single finding.

aws iot start-audit-mitigation-actions-task \
    --task-id "myActionsTaskId" \
    --target "findingIds=[\"0edbaaec-2fe1-4cf5-abc9-d4c3e51f7464\"]" \
    --audit-check-to-actions-mapping "IOT_POLICY_OVERLY_PERMISSIVE_CHECK=[\"ResetPolicyVersionAction\"]" \
    --client-request-token "adhadhahda"


    "taskId": "myActionsTaskId"

For more information, see StartAuditMitigationActionsTask (Mitigation Action Commands) in the AWS IoT Developer Guide.


taskId -> (string)

The unique identifier for the audit mitigation task. This matches the taskId that you specified in the request.