AWS Security Finding Format (ASFF) - AWS Security Hub

AWS Security Finding Format (ASFF)

AWS Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and from the third-party product integrations. Security Hub processes these findings using a standard findings format called the AWS Security Finding Format (ASFF), which eliminates the need for time-consuming data conversion efforts. Then it correlates ingested findings across products to prioritize the most important ones.

Contents

ASFF syntax

The following is the syntax of the complete finding JSON in the ASFF.

"Findings": [ { "AwsAccountId": "string", "Compliance": { "RelatedRequirements": ["string"], "Status": "string", "StatusReasons": [ { "Description": "string", "ReasonCode": "string" } ] }, "Confidence": number, "CreatedAt": "string", "Criticality": number, "Description": "string", "FirstObservedAt": "string", "GeneratorId": "string", "Id": "string", "LastObservedAt": "string", "Malware": [ { "Name": "string", "Path": "string", "State": "string", "Type": "string" } ], "Network": { "DestinationDomain": "string", "DestinationIpV4": "string", "DestinationIpV6": "string", "DestinationPort": number, "Direction": "string", "OpenPortRange": { "Begin": integer, "End": integer }, "Protocol": "string", "SourceDomain": "string", "SourceIpV4": "string", "SourceIpV6": "string", "SourceMac": "string", "SourcePort": number }, "NetworkPath" : [ { "ComponentId": "string", "ComponentType": "string", "Egress": { "Destination": { "Address": ["string"], "PortRanges": [ { "Begin": integer, "End": integer } ] }, "Protocol": "string", "Source": { "Address": ["string"], "PortRanges": [ { "Begin": integer, "End": integer } ] } }, "Ingress": { "Destination": { "Address": ["string"], "PortRanges": [ { "Begin": integer, "End": integer } ] }, "Protocol": "string", "Source": { "Address": ["string"], "PortRanges": [ { "Begin": integer, "End": integer } ] } } } ], "Note": { "Text": "string", "UpdatedAt": "string", "UpdatedBy": "string" }, "PatchSummary" : { "FailedCount" : number, "Id" : "string", "InstalledCount" : number, "InstalledOtherCount" : number, "InstalledPendingReboot" : number, "InstalledRejectedCount" : number, "MissingCount" : number, "Operation" : "string", "OperationEndTime" : "string", "OperationStartTime" : "string", "RebootOption" : "string" }, "Process": { "LaunchedAt": "string", "Name": "string", "ParentPid": number, "Path": "string", "Pid": number, "TerminatedAt": "string" }, "ProductArn": "string", "ProductFields": { "string" : "string" }, "RecordState": "string", "RelatedFindings": [ { "Id": "string", "ProductArn": "string" } ], "Remediation": { "Recommendation": { "Text": "string", "Url": "string" } }, "Resources": [ { "Details": { "AwsAutoScalingAutoScalingGroup": { "CreatedTime": "string", "HealthCheckGracePeriod": integer, "HealthCheckType": "string", "LaunchConfigurationName": "string", "LoadBalancerNames": ["string"] }, "AwsCloudFrontDistribution": { "DomainName": "string", "Etag": "string", "LastModifiedTime": "string", "Logging": { "Bucket": "string", "Enabled": boolean, "IncludeCookies": boolean, "Prefix": "string" }, "Origins": { "Items": [ { "DomainName": "string", "Id": "string", "OriginPath": "string" } ] }, "Status": "string", "WebAclId": "string" }, "AwsCodeBuildProject": { "EncryptionKey": "string", "Environment": { "Type": "string", "Certificate": "string", "ImagePullCredentialsType": "string", "RegistryCredential": { "Credential": "string", "CredentialProvider": "string" } }, "Name": "string", "ServiceRole": "string", "Source": { "Type": "string", "Location": "string", "GitCloneDepth": integer }, "VpcConfig": { "VpcId": "string", "Subnets": ["string"], "SecurityGroupIds": ["string"] } }, "AwsDynamoDbTable": { "AttributeDefinitions": [ { "AttributeName": "string", "AttributeType": "string" } ], "BillingModeSummary" { "BillingMode": "string", "LastUpdateToPayPerRequestDateTime": "string" }, "CreationDateTime": "string", "GlobalSecondaryIndexes": [ { "Backfilling": boolean, "IndexArn": "string", "IndexName": "string", "IndexSizeBytes": number, "IndexStatus": "string", "ItemCount": number, "KeySchema": [ { "AttributeName": "string", "KeyType": "string" } ], "Projection": { "NonKeyAttributes": [ "string" ], "ProjectionType": "string" }, "ProvisionedThroughput": { "LastDecreaseDateTime": "string", "LastIncreaseDateTime": "string", "NumberOfDecreasesToday": number, "ReadCapacityUnits": number, "WriteCapacityUnits": number }, } ], "GlobalTableVersion": "string", "ItemCount": number, "KeySchema": [ { "AttributeName": "string", "KeyType": "string" } ], "LatestStreamArn": "string", "LatestStreamLabel": "string", "LocalSecondaryIndexes": [ { "IndexArn": "string", "IndexName": "string", "KeySchema": [ { "AttributeName": "string", "KeyType": "string" } ], "Projection": { "NonKeyAttributes": [ "string" ], "ProjectionType": "string" } } ], "ProvisionedThroughput": { "LastDecreaseDateTime": "string", "LastIncreaseDateTime": "string", "NumberOfDecreasesToday": number, "ReadCapacityUnits": number, "WriteCapacityUnits": number }, "Replicas": [ { "GlobalSecondaryIndexes":[ { "IndexName": "string", "ProvisionedThroughputOverride": { "ReadCapacityUnits": number } ], "KmsMasterKeyId" : "string" "ProvisionedThroughputOverride": { "ReadCapacityUnits": number }, "RegionName": "string" "ReplicaStatus": "string" "ReplicaStatusDescription": "string" } ], "RestoreSummary": { "RestoreDateTime": "string", "RestoreInProgress": boolean, "SourceBackupArn": "string", "SourceTableArn": "string" }, "SseDescription": { "InaccessibleEncryptionDateTime": "string", "KmsMasterKeyArn": "string", "SseType": "string", "Status": "string" }, "StreamSpecification": { "StreamEnabled": boolean, "StreamViewType": "string" }, "TableId": "string", "TableName": "string", "TableSizeBytes": number, "TableStatus": "string" }, "AwsEc2Eip": { "AllocationId": "string", "AssociationId": "string", "Domain": "string", "InstanceId": "string", "NetworkBorderGroup": "string", "NetworkInterfaceId": "string", "NetworkInterfaceOwnerId": "string", "PrivateIpAddress": "string", "PublicIp": "string", "PublicIpv4Pool": "string" }, "AwsEc2Instance": { "IamInstanceProfileArn": "string", "ImageId": "string", "IpV4Addresses": [ "string" ], "IpV6Addresses": [ "string" ], "KeyName": "string", "LaunchedAt": "string", "SubnetId": "string", "Type": "string", "VpcId": "string" }, "AwsEc2NetworkInterface": { "Attachment": { "AttachmentId": "string", "AttachTime": "string", "DeleteOnTermination": boolean, "DeviceIndex": number, "InstanceId": "string" "InstanceOwnerId": "string", "Status": "string" }, "SecurityGroups": [ { "GroupId": "string", "GroupName": "string" } ], "NetworkInterfaceId": "string", "SourceDestCheck": boolean }, "AwsEc2SecurityGroup": { "GroupId": "string", "GroupName": "string", "IpPermissions": [ { "FromPort": number, "IpProtocol": "string", "IpRanges": [ { "CidrIp": "string" } ], "PrefixListIds": [ {"PrefixListId": "string"} ], "ToPort": number, "UserIdGroupPairs": [ { "UserId": "string", "GroupId": "string" } ] } ], "IpPermissionsEgress": [ { "FromPort": number, "IpProtocol": "string", "IpRanges": [ { "CidrIp": "string" } ], "PrefixListIds": [ {"PrefixListId": "string"} ], "ToPort": number, "UserIdGroupPairs": [ { "UserId": "string", "GroupId": "string" } ] } ], "OwnerId": "string", "VpcId": "string" }, "AwsEc2Volume": { "Attachments": [ { "AttachTime": "string", "DeleteOnTermination": Boolean, "InstanceId": "string", "Status": "string" } ], "CreateTime": "string", "Encrypted": Boolean, "KmsKeyId": "string", "Size": number, "SnapshotId": "string", "Status": "string" }, "AwsEc2Vpc": { "CidrBlockAssociationSet": [ { "AssociationId": "string", "CidrBlock": "string", "CidrBlockState": "string" } ], "DhcpOptionsId": "string", "Ipv6CidrBlockAssociationSet": [ { "AssociationId": "string", "CidrBlockState": "string", "Ipv6CidrBlock": "string" } ], "State": "string" }, "AwsElasticSearchDomain": { "AccessPolicies": "string", "DomainStatus": { "DomainId": "string", "DomainName": "string", "Endpoint": "string", "Endpoints": { "string": "string" } }, "DomainEndpointOptions": { "EnforceHTTPS": boolean, "TLSSecurityPolicy": "string" }, "ElasticsearchVersion": "string", "EncryptionAtRestOptions": { "Enabled": boolean, "KmsKeyId": "string" }, "NodeToNodeEncryptionOptions": { "Enabled": boolean }, "VPCOptions": { "AvailabilityZones": [ "string" ], "SecurityGroupIds": [ "string" ], "SubnetIds": [ "string" ], "VPCId": "string" } }, "AwsElbv2LoadBalancer": { "AvailabilityZones": { "SubnetId": "string", "ZoneName": "string" }, "CanonicalHostedZoneId": "string", "CreatedTime": "string", "DNSName": "string", "IpAddressType": "string", "Scheme": "string", "SecurityGroups": [ "string" ], "State": { "Code": "string", "Reason": "string" }, "Type": "string", "VpcId": "string" }, "AwsIamAccessKey": { "CreatedAt": "string", "PrincipalId": "string", "PrincipalName": "string", "PrincipalType": "string", "Status": "string" }, "AwsIamPolicy": { "AttachmentCount": number, "CreateDate": "string", "DefaultVersionId": "string", "Description": "string", "IsAttachable": boolean, "Path": "string", "PermissionsBoundaryUsageCount": number, "PolicyId": "string", "PolicyName": "string", "PolicyVersionList": [ { "CreateDate": "string", "IsDefaultVersion": boolean, "VersionId": "string" } , "UpdateDate": "string" }, "AwsIamRole": { "AssumeRolePolicyDocument": "string", "CreateDate": "string", "MaxSessionDuration": number, "Path": "string", "RoleId": "string", "RoleName": "string" }, "AwsIamUser": { "AttachedManagedPolicies": [ { "PolicyArn": "string", "PolicyName": "string" } ], "CreateDate": "string", "GroupList": [ "string" ], "Path": "string", "PermissionsBoundary" : { "PermissionsBoundaryArn" : "string", "PermissionsBoundaryType" : "string" }. "UserId": "string", "UserName": "string", "UserPolicyList": [ { "PolicyName": "string" } ] }, "AwsKmsKey": { "AWSAccountId": "string", "CreationDate": "string", "Description": string, "KeyId": "string", "KeyManager": "string", "KeyState": "string", "Origin": "string" }, "AwsLambdaFunction": { "Code" { "S3Bucket": "string", "S3Key": "string", "S3ObjectVersion": "string", "ZipFile": "string" }, "CodeSha256": "string", "DeadLetterConfig": { "TargetArn": "string", }, "Environment": { "Variables": { "string": "string" }, "Error": { "ErrorCode": "string", "Message": "string" } }, "FunctionName": "string", "Handler": "string", "KmsKeyArn": "string", "LastModified": "string", "Layers": { "Arn": "string", "CodeSize": number }, "RevisionId": "string", "Role": "string", "Runtime": "string", "Timeout": "integer", "TracingConfig": { "TracingConfig.Mode": "string" }, "Version": "string", "VpcConfig": { "SecurityGroupIds": [ "string" ], "SubnetIds": [ "string" ] }, "MasterArn": "string", "MemorySize": number }, "AwsLambdaLayerVersion": { "CompatibleRuntimes": [ "string" ], "CreatedDate": "string", "Version": number }, "AwsRdsDbCluster": { "ActivityStreamStatus": "string", "AllocatedStorage": number, "AssociatedRoles": [ { "RoleArn": "string", "Status": "string" } ], "AvailabilityZones": [ "string" ], "BackupRetentionPeriod": integer, "ClusterCreateTime": "string", "CopyTagsToSnapshot": boolean, "CrossAccountClone": boolean, "CustomEndpoints": [ "string" ], "DatabaseName": "string", "DbClusterIdentifier": "string", "DbClusterMembers": [ { "DbClusterParameterGroupStatus": "string", "DbInstanceIdentifier": "string", "IsClusterWriter": boolean, "PromotionTier": integer } ], "DbClusterOptionGroupMemberships": [ { "DbClusterOptionGroupName": "string", "Status": "string" } ], "DbClusterParameterGroup": "string", "DbClusterResourceId": "string", "DbSubnetGroup": "string", "DeletionProtection": boolean, "DomainMemberships": [ { "Domain": "string", "Fqdn": "string", "IamRoleName": "string", "Status": "string" } ], "EnabledCloudwatchLogsExports": [ "string" ], "Endpoint": "string", "Engine": "string", "EngineMode": "string", "EngineVersion": "string", "HostedZoneId": "string", "HttpEndpointEnabled": boolean, "IamDatabaseAuthenticationEnabled": boolean "KmsKeyId": "string", "MasterUsername": "string", "MultiAz": boolean, "Port": integer, "PreferredBackupWindow": "string", "PreferredMaintenanceWindow": "string", "ReaderEndpoint": "string", "ReadReplicaIdentifiers": [ "string" ], "Status": "string", "StorageEncrypted": boolean, "VpcSecurityGroups": [ { "Status": "string", "VpcSecurityGroupId": "string" } ] }, "AwsRdsDbClusterSnapshot": { "AllocatedStorage": integer, "AvailabilityZones": [ "string" ], "ClusterCreateTime": "string", "DbClusterIdentifier": "string", "DbClusterSnapshotIdentifier": "string", "Engine": "string", "EngineVersion": "string", "IamDatabaseAuthenticationEnabled": boolean, "KmsKeyId": "string", "LicenseModel": "string", "MasterUsername": "string", "PercentProgress": integer, "Port": integer, "SnapshotCreateTime": "string", "SnapshotType": "string", "Status": "string", "StorageEncrypted": boolean, "VpcId": "string" }, "AwsRdsDbInstance": { "AllocatedStorage": number, "AssociatedRoles": [ { "RoleArn": "string", "FeatureName": "string", "Status": "string" } ], "AutoMinorVersionUpgrade": boolean, "AvailabilityZone": "string", "BackupRetentionPeriod": number, "CACertificateIdentifier": "string", "CharacterSetName": "string", "CopyTagsToSnapshot": boolean, "DBClusterIdentifier": "string", "DBInstanceClass": "string", "DBInstanceIdentifier": "string", "DbInstancePort": number, "DbInstanceStatus": "string", "DbiResourceId": "string", "DBName": "string", "DbParameterGroups": [ { "DbParameterGroupName": "string", "ParameterApplyStatus": "string" } ], "DbSecurityGroups": [ "string" ], "DbSubnetGroup": { "DbSubnetGroupArn": "string", "DbSubnetGroupDescription": "string", "DbSubnetGroupName": "string", "SubnetGroupStatus": "string", "Subnets": [ { "SubnetAvailabilityZone": { "Name": "string" }, "SubnetIdentifier": "string", "SubnetStatus": "string" } ], "VpcId": "string", }, "DeletionProtection": boolean, "Endpoint": { "Address": "string", "Port": number, "HostedZoneId": "string" }, "DomainMemberships": [ { "Domain": "string", "Fqdn": "string", "IamRoleName": "string", "Status": "string" } ], "EnabledCloudwatchLogsExports": [ "string" ], "Engine": "string", "EngineVersion": "string", "EnhancedMonitoringResourceArn": "string", "IAMDatabaseAuthenticationEnabled": boolean, "InstanceCreateTime": "string", "Iops": number, "KmsKeyId": "string", "LatestRestorableTime": "string", "LicenseModel": "string", "ListenerEndpoint": { "Address": "string", "HostedZoneId": "string", "Port": number }, "MasterUsername": "admin", "MaxAllocatedStorage": number. "MonitoringInterval": number, "MonitoringRoleArn": "string", "MultiAz": boolean, "OptionGroupMemberships": [ { "OptionGroupName": "string", "Status": "string" } ], "PendingModifiedValues": { "AllocatedStorage": number, "BackupRetentionPeriod": number, "CaCertificateIdentifier": "string", "DbInstanceClass": "string", "DbInstanceIdentifier": "string", "DbSubnetGroupName": "string", "EngineVersion": "string", "Iops": number, "LicenseModel": "string", "MasterUserPassword": "string", "MultiAZ": boolean, "PendingCloudWatchLogsExports": { "LogTypesToDisable": [ "string" ], "LogTypesToEnable": [ "string" ] }, "Port": number, "ProcessorFeatures": [ { "Name": "string", "Value": "string" } ], "StorageType": "string" }, "PerformanceInsightsEnabled": boolean, "PerformanceInsightsKmsKeyId": "string", "PerformanceInsightsRetentionPeriod": number, "PreferredBackupWindow": "string", "PreferredMaintenanceWindow": "string", "ProcessorFeatures": [ { "Name": "string", "Value": "string" } ], "PromotionTier": number, "PubliclyAccessible": boolean, "ReadReplicaDBClusterIdentifiers": [ "string" ], "ReadReplicaDBInstanceIdentifiers": [ "string" ], "ReadReplicaSourceDBInstanceIdentifier": "string", "SecondaryAvailabilityZone": "string", "StatusInfos": [ { "Message": "string" "Normal": boolean, "Status": "string", "StatusType": "string" } ], "StorageEncrypted": boolean, "TdeCredentialArn": "string", "Timezone": "string", "VpcSecurityGroups": [ { "VpcSecurityGroupId": "string", "Status": "string" } ] }, "AwsRdsDbSnapshot": { "AllocatedStorage": integer, "AvailabilityZone": "string", "DbInstanceIdentifier": "string", "DbiResourceId": "string", "DbSnapshotIdentifier": "string", Encrypted": boolean, "Engine": "string", "EngineVersion": "string", "IamDatabaseAuthenticationEnabled": boolean, "InstanceCreateTime": "string", "Iops": number, "KmsKeyId": "string", "LicenseModel": "string", "MasterUsername": "string", "OptionGroupName": "string", "PercentProgress": integer, "Port": integer, "ProcessorFeatures": [], "SnapshotCreateTime": "string", "SnapshotType": "string", "SourceDbSnapshotIdentifier": "string", "SourceRegion": "string", "Status": "string", "StorageType": "string", TdeCredentialArn": "string", "Timezone": "string", "VpcId": "string" }, "AwsS3Bucket": { "CreatedAt": "string", "OwnerId": "string", "OwnerName": "string" "ServerSideEncryptionConfiguration": { "Rules": [ { "ApplyServerSideEncryptionByDefault": { "KMSMasterKeyID": "string", "SSEAlgorithm": "string" } } ] } }, "AwsS3Object": { "ContentType": "string", "ETag": "string", "LastModified": "string", "ServerSideEncryption": "string", "SSEKMSKeyId": "string", "VersionId": "string" }, "AwsSecretsManagerSecret": { "Deleted": Boolean, "Description": "string", "KmsKeyId": "string", "Name": "string", "RotationEnabled": boolean, "RotationLambdaArn": "string", "RotationOccurredWithinFrequency": boolean, "RotationRules": { "AutomaticallyAfterDays": integer } }, "AwsSnsTopic": { "KmsMasterKeyId": "string", "Owner": "string", "Subscription": { "Endpoint": "string", "Protocol": "string" }, "TopicName": "string" }, "AwsSqsQueue": { "DeadLetterTargetArn": "string", "KmsDataKeyReusePeriodSeconds": number, "KmsMasterKeyId": "string", "QueueName": "string" }, "AwsWafWebAcl": { "DefaultAction": "string", "Name": "string", "Rules": [ { "Action": { "Type": "string" }, "ExcludedRules": [ { "RuleId": "string" } ], "OverrideAction": { "Type": "string" }, "Priority": number, "RuleId": "string", "Type": "string" } ], "WebAclId": "string" }, "Container": { "ImageId": "string", "ImageName": "string", "LaunchedAt": "string", "Name": "string" }, "Other": { "string" : "string" } }, "Id": "string", "Partition": "string", "Region": "string", "Tags": { "string" : "string" }, "Type": "string" } ], "SchemaVersion": "string", "Severity": { "Label": "string", "Normalized": number, "Original": "string", "Product": number }, "SourceUrl": "string", "ThreatIntelIndicators": [ { "Category": "string", "LastObservedAt": "string", "Source": "string", "SourceUrl": "string", "Type": "string", "Value": "string" } ], "Title": "string", "Types": [ "string" ], "UpdatedAt": "string", "UserDefinedFields": { "string" : "string" }, "VerificationState": "string", "Workflow": { "Status": "string" }, "WorkflowState": "string" }, "Vulnerabilities" : [ { "Cvss": [ { "BaseScore": number, "BaseVector": "string", "Version": "string" }, ], "Id": "string", "ReferenceUrls":["string"], "RelatedVulnerabilities": ["string"], "Vendor": { "Name": "string", "Url":"string", "VendorCreatedAt":"string", "VendorSeverity":"string", "VendorUpdatedAt":"string" }, "VulnerablePackages": [ { "Architecture": "string", "Epoch": "string", "Name": "string", "Release": "string", "Version": "string" } ] } ] ]

ASFF attributes

The following table lists the top-level attributes and objects for the ASFF. For objects, to see the details for the object attributes and subfields, choose the object name.

Attribute

Required

Description

AwsAccountId

Yes

The AWS account ID that the finding applies to.

Type: String (12 digits max)

Example:

"AwsAccountId": "111111111111"

Compliance

No

Finding details related to a control. Only returned for findings generated from a control.

Type: Object

Example:

"Compliance": { "RelatedRequirements": ["Req1", "Req2"], "Status": "PASSED", "StatusReasons": [ { "ReasonCode": "CLOUDWATCH_ALARMS_NOT_PRESENT"; "Description": "CloudWatch alarms do not exist in the account" } ] }

Confidence

No

A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

A finding provider can provide an initial value for this attribute, but cannot update it after that. This attribute can only be updated using BatchUpdateFindings.

Type: Integer (range 0–100)

Confidence is scored on a 0–100 basis using a ratio scale, where 0 means zero-percent confidence and 100 means 100-percent confidence.

However, a data exfiltration detection based on a statistical deviation of network traffic has a much lower confidence because an actual exfiltration hasn't been verified.

Example:

"Confidence": 42

CreatedAt

Yes

Indicates when the potential security issue captured by a finding was created.

The CreatedAt timestamp reflects the time when the finding record was created. Consequently, it can differ from the FirstObservedAt timestamp, which reflects the time when the event or vulnerability was first observed.

This timestamp must be provided on the first generation of the finding and can't be changed upon subsequent updates to the finding.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"CreatedAt": "2017-03-22T13:22:13.933Z"
Note

Findings are deleted 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in CloudWatch Events that routes findings to your Amazon S3 bucket.

Criticality

No

The level of importance that is assigned to the resources that are associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

A finding provider can provide an initial value for this attribute, but cannot update it after that. This attribute can only be updated using BatchUpdateFindings.

Type: Integer (range 0–100)

Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

At a high level, when assessing criticality, you need to consider the following:

  • Which findings impact resources that are more critical than other resources?

  • How much more critical are those resources compared to other resources?

For each resource, consider the following:

  • Does the impacted resource contain sensitive data (for example, an S3 bucket with PII)?

  • Does the impacted resource enable an adversary to deepen their access or extend their capabilities to carry out additional malicious activity (for example, a compromised sysadmin account)?

  • Is the resource a business-critical asset (for example, a key business system that if compromised could have significant revenue impact)?

You can use the following guidelines:

  • A resource powering mission-critical systems or containing highly sensitive data can be scored in the 75–100 range.

  • A resource powering important (but not critical systems) or containing moderately important data can be scored in the 25–75 range.

  • A resource powering non-important systems or containing non-sensitive data should be scored in the 0–24 range.

Example:

"Criticality": 99

Description

Yes

A finding's description. This field can be nonspecific boilerplate text or details that are specific to the instance of the finding.

Type: String (1,024 characters max)

Example:

"Description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability."

FirstObservedAt

No

Indicates when the potential security issue captured by a finding was first observed.

This timestamp reflects the time of when the event or vulnerability was first observed. Consequently, it can differ from the CreatedAt timestamp, which reflects the time this finding record was created.

This timestamp should be immutable between updates of the finding record, but can be updated if a more accurate timestamp is determined.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"FirstObservedAt": "2017-03-22T13:22:13.933Z"

GeneratorId

Yes

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various solutions from security findings products, this generator can be called a rule, a check, a detector, a plugin, and so on.

Type: String (512 characters max) or Amazon Resource Name (ARN)

Example:

"GeneratorId": "acme-vuln-9ab348"

Id

Yes

The product-specific identifier for a finding.

Type: String (512 characters max) or ARN

The finding ID must comply with the following constraints:

  • The ID must be globally unique within the product. To enforce uniqueness, you can incorporate the public AWS Region name and account ID in the identifier.

  • You cannot recycle identifiers regardless of whether the previous finding no longer exists.

  • The ID must only contain characters from the unreserved characters set defined in section 2.3 of RFC-3986 Uniform Resource Identifier (URI): Generic Syntax.

  • For non-AWS services, the ID cannot be prefixed with the literal string "arn:".

  • For AWS services, the ID must be the ARN of the finding if one is available. Otherwise, you can use any other unique identifier.

These constraints are expected to hold within a findings product, but are not required to hold across findings products.

Example:

"Id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef"

LastObservedAt

No

Indicates when the potential security issue captured by a finding was most recently observed by the security findings product.

This timestamp reflects the time of when the event or vulnerability was last or most recently observed. Consequently, it can differ from the UpdatedAt timestamp, which reflects when this finding record was last or most recently updated.

You can provide this timestamp, but it isn't required upon the first observation. If you provide the field in this case, the timestamp should be the same as the FirstObservedAt timestamp. You should update this field to reflect the last or most recently observed timestamp each time a finding is observed.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"LastObservedAt": "2017-03-23T13:22:13.933Z"

Malware

No

A list of malware related to a finding.

Type: Array of up to five malware objects

Example:

"Malware": [ { "Name": "Stringler", "Type": "COIN_MINER", "Path": "/usr/sbin/stringler", "State": "OBSERVED" } ]

Network

No

The details of network-related information about a finding.

Type: Object

Example:

"Network": { "Direction": "IN", "OpenPortRange": { "Begin": 443, "End": 443 }, "Protocol": "TCP", "SourceIpV4": "1.2.3.4", "SourceIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "SourcePort": "42", "SourceDomain": "example1.com", "SourceMac": "00:0d:83:b1:c0:8e", "DestinationIpV4": "2.3.4.5", "DestinationIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "DestinationPort": "80", "DestinationDomain": "example2.com" }

NetworkPath

No

A network path that is related to the finding.

Each entry in NetworkPath represents a component of the path.

Type: Array of objects

Note

No

A user-defined note that is added to a finding.

A finding provider can provide an initial note for a finding, but cannot add notes after that.

A note can only be updated using BatchUpdateFindings.

Type: Object

Example:

"Note": { "Text": "Don't forget to check under the mat.", "UpdatedBy": "jsmith", "UpdatedAt": "2018-08-31T00:15:09Z" }

PatchSummary

No

Provides a summary of patch compliance.

Type: Object

Process

No

The details of process-related information about a finding.

Type: Object

Example:

"Process": { "Name": "syslogd", "Path": "/usr/sbin/syslogd", "Pid": 12345, "ParentPid": 56789, "LaunchedAt": "2018-09-27T22:37:31Z", "TerminatedAt": "2018-09-27T23:37:31Z" }

ProductArn

Yes

The ARN generated by Security Hub that uniquely identifies a third-party findings product after the product is registered with Security Hub.

Type: ARN

The format of this field is arn:partition:securityhub:region:account-id:product/company-id/product-id.

  • For AWS services that are integrated with Security Hub, the company-id must be "aws", and the product-id must be the AWS public service name. Because AWS products and services aren't associated with an account, the account-id section of the ARN is empty. AWS services that are not yet integrated with Security Hub are considered third-party products.

  • For public products, the company-id and product-id must be the ID values specified at the time of registration.

  • For private products, the company-id must be the account ID. The product-id must be the reserved word "default" or the ID that was specified at the time of registration.

Example:

// Private ARN "ProductArn": "arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default" // Public ARN "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" "ProductArn": "arn:aws:securityhub:us-west-2:222222222222:product/generico/secure-pro"

ProductFields

No

A data type where security findings products can include additional solution-specific details that aren't part of the defined AWS Security Finding Format.

Type: Map of up to 50 key-value pairs

This field should not contain redundant data and must not contain data that conflicts with AWS Security Finding Format fields.

The "aws/" prefix represents a reserved namespace for AWS products and services only and must not be submitted with findings from partner products.

Although not required, products should format field names as company-id/product-id/field-name, where the company-id and product-id match those supplied in the ProductArn of the finding.

Field names can include alphanumeric characters, white space, and the following symbols: _ . / = + \ - @

Example:

"ProductFields": { "generico/secure-pro/Count": "6", "generico/secure-pro/Action.Type", "AWS_API_CALL", "API", "DeleteTrail", "Service_Name": "cloudtrail.amazonaws.com", "aws/inspector/AssessmentTemplateName": "My daily CVE assessment", "aws/inspector/AssessmentTargetName": "My prod env", "aws/inspector/RulesPackageName": "Common Vulnerabilities and Exposures" }

RecordState

No

The record state of a finding.

By default, when initially generated by a service, findings are considered ACTIVE.

The ARCHIVED state indicates that a finding should be hidden from view. Archived findings are not immediately deleted. You can search, review, and report against them.

Finding providers can update the record state. Security Hub also automatically archives control-based findings if the associated resource is deleted, the resource does not exist, or the control is disabled.

Type: Enum

Valid values: ACTIVE | ARCHIVED

Example:

"RecordState": "ACTIVE"

RelatedFindings

No

A list of related findings.

A finding provider can provide an initial list of related findings, but cannot update the list after that. The list of related findings can only be updated using BatchUpdateFindings.

Type: Array of up to 10 RelatedFinding objects

Example:

"RelatedFindings": [ { "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" }, { "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "AcmeNerfHerder-111111111111-x189dx7824" } ]

Remediation

No

The remediation options for a finding.

Type: Object

Example:

"Remediation": { "Recommendation": { "Text": "Run sudo yum update and cross your fingers and toes.", "Url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html" } }

Resources

Yes

A set of resource data types that describe the resources that the finding refers to.

Type: Array of up to 32 resource objects

Example:

"Resources": [ { "Type": "AwsEc2Instance", "Id": "i-cafebabe", "Partition": "aws", "Region": "us-west-2", "Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": "true" }, "Details": { "AwsEc2Instance": { "Type": "i3.xlarge", "ImageId": "ami-abcd1234", "IpV4Addresses": [ "54.194.252.215", "192.168.1.88" ], "IpV6Addresses": [ "2001:db8:1234:1a2b::123" ], "KeyName": "my_keypair", "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/AdminRole", "VpcId": "vpc-11112222", "SubnetId": "subnet-56f5f633", "LaunchedAt": "2018-05-08T16:46:19.000Z" } } } ]

SchemaVersion

Yes

The schema version that a finding is formatted for. The value of this field must be one of the officially published versions identified by AWS.

In the current release, the AWS Security Finding Format schema version is 2018-10-08.

Type: String (10 characters max, conforms to YYYY-MM-DD)

Example:

"SchemaVersion": "2018-10-08"

Severity

Yes

A finding's severity.

The finding must have either Label or Normalized populated. Label is the preferred attribute. If neither attribute is populated, then the finding is invalid.

A finding provider can provide initial severity information for a finding, but cannot update it after that. The severity information can only be updated using BatchUpdateFindings.

Type: Object

Example:

"Severity": { "Label": "CRITICAL", "Original": 8.3 }

SourceUrl

No

A URL that links to a page about the current finding in the finding product.

Type: URL

ThreatIntelIndicators

No

Threat intelligence details that are related to a finding.

Type: Array of up to five threat intelligence indicator objects

Example:

"ThreatIntelIndicators": [ { "Type": "IPV4_ADDRESS", "Value": "8.8.8.8", "Category": "BACKDOOR", "LastObservedAt": "2018-09-27T23:37:31Z", "Source": "Threat Intel Weekly", "SourceUrl": "http://threatintelweekly.org/backdoors/8888" } ]

Title

Yes

A finding's title. This field can contain nonspecific boilerplate text or details that are specific to this instance of the finding.

Type: String (256 characters max)

Types

Yes

One or more finding types in the format of namespace/category/classifier that classify a finding.

Type: Array of 50 strings max

  • namespace must be a value from the predefined set of namespace values.

    Valid values: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications

  • category might be any value, but it is recommended that finding products use categories from the finding type taxonomy in Types taxonomy for ASFF.

  • classifier might be any value, but it is recommended that finding providers use the identifier verbatim defined by published standards whenever possible.

Namespaces are required for all finding types, but categories and classifiers are optional. If you specify a classifier, you must also specify a category.

The '/' character is reserved and must not be used in a category or classifier. Escaping the '/' character is not supported.

Example:

"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ]

UpdatedAt

Yes

Indicates when the finding provider last updated the finding record.

This timestamp reflects the time when the finding record was last or most recently updated. Consequently, it can differ from the LastObservedAt timestamp, which reflects when the event or vulnerability was last or most recently observed.

When you update the finding record, you must update this timestamp to the current timestamp. Upon creation of a finding record, the CreatedAt and UpdatedAt timestamps must be the same timestamp. After an update to the finding record, the value of this field must be greater than all of the previous values that it contained.

Note that UpdatedAt is not updated by changes from BatchUpdateFindings. It is only updated by BatchImportFindings.

Findings are deleted 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in CloudWatch Events that routes findings to your Amazon S3 bucket.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

UserDefinedFields

No

A list of name-value string pairs that are associated with the finding. These are custom, user-defined fields that are added to a finding. These fields can be generated automatically via your specific configuration. Findings products must not use this field for data that the product generates. Instead, findings products can use the ProductFields field for data that doesn't map to any standard AWS Security Finding Format field.

These fields can only be updated using BatchUpdateFindings.

Type: map of up to 50 key-value pairs

Format: The key name can only contain letters, numbers, and the following special characters: -_=+@./:

Example:

"UserDefinedFields": { "reviewedByCio": "true", "comeBackToLater": "Check this again on Monday" }

VerificationState

No

The veracity of a finding. Findings products can provide the value of UNKNOWN for this field. A findings product should provide this value if there is a meaningful analog in the findings product's system. This field is typically populated by a user determination or action after they investigate a finding.

A finding provider can provide an initial value for this attribute, but cannot update it after that. This attribute can only be updated using BatchUpdateFindings. It can only be updated by a master account. It cannot be updated by a member account.

Type: Enum

Valid values:

  • UNKNOWN – The default disposition of a security finding unless a user changes it

  • TRUE_POSITIVE – A user sets this value if the security finding has been confirmed

  • FALSE_POSITIVE – A user sets this value if the security finding has been determined to be a false alarm

  • BENIGN_POSITIVE – A user sets this value as a special case of TRUE_POSITIVE where the finding doesn't pose any threat, is expected, or both

Vulnerabilities

No

A list of vulnerabilities that apply to the finding.

Type: Array of objects

Workflow

No

Provides information about the status of the investigation into a finding.

The workflow status is not intended for finding providers. The workflow status can only be updated using BatchUpdateFindings. Customers can also update it from the console. See Setting the workflow status for findings.

Type: Object

Example:

Workflow: { "Status": "NEW" }

WorkflowState (deprecated)

No

This field is being deprecated in favor of the Status field of the Workflow object.

The workflow state of a finding. Findings products can provide the value of NEW for this field. A findings product can provide a value for this field if there is a meaningful analog in the findings product's system.

Type: Enum

Valid values:

  • NEW – This can be associated with findings in the Active record state. This is the default workflow state for any new finding.

  • ASSIGNED – This can be associated with findings in the Active record state. The finding has been acknowledged and given to someone to review or address.

  • IN_PROGRESS – This can be associated with findings in the Active record state. Team members are actively working on the finding.

  • RESOLVED – This can be associated with findings in the Archived record state. This differs from DEFERRED findings in that if the finding were to occur again (be updated by the native service) or any new finding matching this, the finding appears to customers as an active, new finding.

  • DEFERRED – This can be associated with findings in the Archived record state, and it means that any additional findings that match this finding aren't shown for a set amount of time or indefinitely.

    Either the customer doesn't consider the finding to be applicable, or it's a known issue that they don't want to include in the active dataset.

  • DUPLICATE – This can be associated with findings in the Archived record state. It means that the finding is a duplicate of another finding.

Example:

"WorkflowState": "NEW"

Compliance

Contains finding details related to a control. Only returned for findings that are generated as the result of a check that is run on a control.

Example

"Compliance": { "RelatedRequirements": ["Req1", "Req2"], "Status": "FAILED", "StatusReasons": [ { "ReasonCode": "CLOUDWATCH_ALARMS_NOT_PRESENT", "Description": "CloudWatch alarms do not exist in the account" } ] }

The Compliance object can have the following attributes.

Attribute

Required

Description

RelatedRequirements

No

For a Security Hub control, the industry or regulatory framework requirements that are related to the control. The check for that control is aligned with those requirements.

You can provide up to 32 related requirements.

To identify a requirement, use its identifier.

Type: Array of strings

Status

No

The result of a security check.

Type: Enum

Valid values:

  • PASSED – Security check passed for all evaluated resources. If Compliance.Status is PASSED, then Security Hub automatically sets Workflow.Status to RESOLVED.

  • WARNING – Some information is missing, or this check is not supported given your configuration.

  • FAILED – Security check failed for at least one evaluated resource.

  • NOT_AVAILABLE – Check could not be performed due to a service outage or API error. The NOT_AVAILABLE status can also indicate that the result of the AWS Config evaluation was NOT_APPLICABLE. In that case, after 3 days, Security Hub automatically archives the finding.

Example:

"Status": "PASSED"

StatusReasons

No

For findings generated from controls, a list of reasons behind the value of Compliance.Status.

For the list of status codes and their meanings, see Control-related information in the ASFF.

Type: String

Example:

"StatusReasons": [ { "Description": "CloudWatch alarms do not exist in the account", "ReasonCode": "CW_ALARMS_NOT_PRESENT" } ]

StatusReasons

For findings generated from controls, a list of reasons for the value of Compliance.Status.

"StatusReasons": [ { "Description": "CloudWatch alarms do not exist in the account", "ReasonCode": "CW_ALARMS_NOT_PRESENT" } ]

Each reason in the StatusReasons object can have the following attributes.

Attribute

Required

Description

Description

No

The corresponding description for the reason.

Type: String

ReasonCode

Yes

A code that represents a reason for the current control status.

Type: String

For the list of available status codes and their meanings, see Results of security checks.

Malware

The Malware object provides a list of malware related to a finding. It is an array that can contain up to five malware objects.

Example

"Malware": [ { "Name": "Stringler", "Type": "COIN_MINER", "Path": "/usr/sbin/stringler", "State": "OBSERVED" } ]

Each malware object can have the following attributes.

Attribute

Required

Description

Name

Yes

The name of the malware that was observed.

Type: String (64 characters max)

Example:

"Name": "Stringler"

Path

No

The filesystem path of the malware that was observed.

Type: String (512 characters max)

Example:

"Path": "/usr/sbin/stringler"

State

No

The state of the malware that was observed.

Type: Enum

Valid values: OBSERVED | REMOVAL_FAILED | REMOVED

Example:

"State": "OBSERVED"

Type

No

The type of the malware that was observed.

Type: Enum

Valid values: ADWARE | BLENDED_THREAT | BOTNET_AGENT | COIN_MINER | EXPLOIT_KIT | KEYLOGGER | MACRO | POTENTIALLY_UNWANTED | SPYWARE | RANSOMWARE | REMOTE_ACCESS | ROOTKIT | TROJAN | VIRUS | WORM

Example:

"Type": "COIN_MINER"

Network

The details of network-related information about a finding.

Type: Object

Example

"Network": { "Direction": "IN", "OpenPortRange": { "Begin": 443, "End": 443 }, "Protocol": "TCP", "SourceIpV4": "1.2.3.4", "SourceIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "SourcePort": "42", "SourceDomain": "example1.com", "SourceMac": "00:0d:83:b1:c0:8e", "DestinationIpV4": "2.3.4.5", "DestinationIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "DestinationPort": "80", "DestinationDomain": "example2.com" }

The Network object can have the following attributes.

Attribute

Required

Description

DestinationDomain

No

The destination domain of network-related information about a finding.

Type: String (128 characters max)

Example:

"DestinationDomain": "there.com"

DestinationIpV4

No

The destination IPv4 address of network-related information about a finding.

Type: IPv4

Example:

"DestinationIpV4": "2.3.4.5"

DestinationIpV6

No

The destination IPv6 address of network-related information about a finding.

Type: IPv6

Example:

"DestinationIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C"

DestinationPort

No

The destination port of network-related information about a finding.

Type: Number (range of 0–65535)

Example:

"DestinationPort": "80"

Direction

No

The direction of network traffic that is associated with a finding.

Type: Enum

Valid values: IN | OUT

Example:

"Direction": "IN"

OpenPortRange

The range of open ports that is present in the network.

Type: Object

Protocol

No

The protocol of network-related information about a finding.

Type: String (16 characters max)

The name should be the IANA registered name for the associated port except in the case where the finding product can determine a more accurate protocol.

Example:

"Protocol": "TCP"

SourceDomain

No

The source domain of network-related information about a finding.

Type: String (128 characters max)

Example:

"SourceDomain": "here.com"

SourceIpV4

No

The source IPv4 address of network-related information about a finding.

Type: IPv4

Example:

"SourceIpV4": "1.2.3.4"

SourceIpV6

No

The source IPv6 address of network-related information about a finding.

Type: IPv6

Example:

"SourceIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C"

SourceMac

No

The source media access control (MAC) address of network-related information about a finding.

Type: String (must match MM:MM:MM:SS:SS:SS)

Example:

"SourceMac": "00:0d:83:b1:c0:8e"

SourcePort

No

The source port of network-related information about a finding.

Type: Number (range of 0–65535)

Example:

"SourcePort": "80"

OpenPortRange

Provides the beginning and end ports of the open port range.

OpenPortRange can have the following attributes.

Attribute

Required

Description

Begin

No

The first port in the port range.

Type: Integer

End

No

The last port in the port range.

Type: Integer

NetworkPath

The NetworkPath object provides information about a network path that is relevant to a finding. Each entry under NetworkPath represents a component of that path.

Example

"NetworkPath" : [ { "ComponentId": "abc-01a234bc56d8901ee", "ComponentType": "AWS::EC2::InternetGateway", "Egress": { "Destination": { "Address": [ "192.0.2.0/24" ], "PortRanges": [ { "Begin": 443, "End": 443 } ] }, "Protocol": "TCP", "Source": { Address": ["203.0.113.0/24"] } }, "Ingress": { "Destination": { "Address": [ "198.51.100.0/24" ], "PortRanges": [ { "Begin": 443, "End": 443 } ] }, "Protocol": "TCP", "Source": { "Address": [ "203.0.113.0/24" ] } } } ]

Each component of the network path can have the following attributes.

Attribute

Required

Description

ComponentId

Yes

The identifier of a component in the network path.

Type: String

ComponentType

Yes

The type of component.

Type: String

Egress

No

Information about the component that comes after the current component in the network path.

Type: Object

Ingress

No

Information about the component that comes before the current component in the network path.

Type: Object

Egress

The Egress object contains information about the component that comes after the current component in the network path. It can have the following attributes.

Attribute

Required

Description

Destination

No

Information about the destination of the component.

Type: Object

Protocol

No

The protocol used for the component.

Type: String

Source

No

Information about the origin of the component.

Type: Object

Ingress

The Ingress object contains information about the previous component in the network path. It can have the following attributes.

Attribute

Required

Description

Destination

No

Information about the destination for the previous component.

Type: Object

Protocol

No

The protocol used by the previous component.

Type: String

Source

No

Information about the origin of the previous component.

Type: Object

Destination

The Destination object in Egress or Ingress contains the destination information for the previous or next component. It can have the following attributes.

Attribute

Required

Description

Address

No

IP addresses of the previous or next component.

Type: Array of strings

PortRanges

No

List of open port ranges for the destination of the previous or next component.

Type: Array of objects

PortRanges.Begin

No

For an open port range, the beginning of the range.

Type: Integer

PortRanges.End

No

For an open port range, the end of the range.

Type: Number

Source

The Source object under Egress or Ingress contains information about the origin of the previous or next component. It can have the following attributes.

Attribute

Required

Description

Address

No

IP addresses for the origin of the previous or next component.

Type: Array of strings

PortRanges

No

List of open port ranges for the origin of the previous or next component.

Type: Array of objects

PortRanges.Begin

No

For an open port range, the beginning of the range.

Type: Integer

PortRanges.End

No

For an open port range, the end of the range.

Type: Number

Note

The Note object adds a user-defined note to the finding.

A finding provider can provide an initial note for a finding, but cannot add notes after that. A note can only be updated using BatchUpdateFindings.

Example

"Note": { "Text": "Don't forget to check under the mat.", "UpdatedBy": "jsmith", "UpdatedAt": "2018-08-31T00:15:09Z" }

The Note object can have the following attributes.

Attribute

Required

Description

Text

Yes

The text of a finding note.

Type: String (512 characters max)

Example:

"Text": "Example text."

UpdatedAt

Yes

Indicates when the note was updated.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"UpdatedAt": "2018-08-31T00:15:09Z"

UpdatedBy

Yes

The principal that created a note.

Type: String (512 characters max) or ARN

Example:

"UpdatedBy": "jsmith"

PatchSummary

The PatchSummary object provides an overview of the patch compliance status for an instance against a selected compliance standard.

Example

"PatchSummary" : { "Id" : "pb-123456789098" "InstalledCount" : "100", "MissingCount" : "100", "FailedCount" : "0", "InstalledOtherCount" : "1023", "InstalledRejectedCount" : "0", "InstalledPendingReboot" : "0", "OperationStartTime" : "2018-09-27T23:37:31Z", "OperationEndTime" : "2018-09-27T23:39:31Z", "RebootOption" : "RebootIfNeeded", "Operation" : "Install" }

The PatchSummary object can have the following attributes.

Attribute

Required

Description

FailedCount

No

The number of patches from the compliance standard with installation failures.

Type: Number

Minimum value: 0

Maximum value: 100,000

Id

Yes

The identifier of the compliance standard that was used to determine the patch compliance status.

Type: String

Minimum length: 20

Maximum length: 128

InstalledCount

No

The number of patches from the compliance standard that were installed successfully.

Type: Number

Minimum value: 0

Maximum value: 100,000

InstalledOtherCount

No

The number of installed patches that are not part of the compliance standard.

Type: Number

Minimum value: 0

Maximum value: 100,000

InstalledPendingReboot

No

The number of patches that were applied but that require the instance to be rebooted in order to be marked as installed.

Type: Number

Minimum value: 0

Maximum value: 100,000

InstalledRejectedCount

No

The number of patches that are installed but are also on a list of patches that the customer rejected.

Type: Number

Minimum value: 0

Maximum value: 100,000

MissingCount

No

The number of patches that are part of the compliance standard but are not installed. The count includes patches with installation failures.

Type: Number

Minimum value: 0

Maximum value: 100,000

Operation

No

The type of patch operation that was performed.

For Patch Manager, the values are SCAN and INSTALL.

Type: String

Maximum length: 256

OperationEndTime

No

Indicates when the operation was completed.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"OperationEndTime": "2020-06-22T17:40:12.322Z"

OperationStartTime

No

Indicates when the operation started.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"OperationStartTime": "2020-06-22T17:40:12.322Z"

RebootOption

No

The reboot option specified for the instance.

Type: String

Maximum length: 256

Valid values: NoReboot | RebootIfNeeded.

Process

The Process object provides process-related details about the finding.

Example

"Process": { "Name": "syslogd", "Path": "/usr/sbin/syslogd", "Pid": 12345, "ParentPid": 56789, "LaunchedAt": "2018-09-27T22:37:31Z", "TerminatedAt": "2018-09-27T23:37:31Z" }

The Process object can have the following attributes.

Attribute

Required

Description

LaunchedAt

No

Indicates when the process was launched.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"LaunchedAt": "2018-09-27T22:37:31Z"

Name

No

The name of the process.

Type: String (64 characters max)

Example:

"Name": "syslogd"

ParentPid

No

The parent process ID.

Type: Number

Example:

"ParentPid": 56789

Path

No

The path to the process executable.

Type: String (512 characters max)

Example:

"Path": "/usr/sbin/syslogd"

Pid

No

The process ID.

Type: Number

Example:

"Pid": 12345

TerminatedAt

No

Indicates when the process was terminated.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"TerminatedAt": "2018-09-27T23:37:31Z"

RelatedFindings

The RelatedFindings object provides a list of findings that are related to the current finding.

A finding provider can provide an initial list of related findings, but cannot update it after that. RelatedFindings can only be updated using BatchUpdateFindings.

Example

"RelatedFindings": [ { "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" }, { "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "AcmeNerfHerder-111111111111-x189dx7824" } ]

Each related finding object can have the following attributes.

Attribute

Required

Description

Id

Yes

The product-generated identifier for a related finding.

Type: String (512 characters max) or ARN

Example:

"Id": "123e4567-e89b-12d3-a456-426655440000"

ProductArn

Yes

The ARN of the product that generated a related finding.

Type: ARN

Example:

"ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty"

Remediation

The Remediation object provides information about recommended remediation steps to address the finding.

Example

"Remediation": { "Recommendation": { "Text": "Run sudo yum update and cross your fingers and toes.", "Url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html" } }

The Remediation object can have the following attributes.

Attribute

Required

Description

Recommendation

No

A recommendation on how to remediate the issue identified within a finding.

The Recommendation field is meant to facilitate manual instructions or details to resolve a finding.

If the recommendation object is present, then either the Text or Url field must be present and populated. Both fields can be present and populated.

Type: Object

Example:

"Recommendation": { "Text": "Example text.", "Url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html" }

Recommendation

The Recommendation object can have the following attributes.

Attribute

Required

Description

Text

No

A free-form string that is the recommendation of what to do about the finding when presented to a user. This field can contain nonspecific boilerplate text or details that are specific to this instance of the finding.

Type: String (512 characters max)

Example:

"Text": "Example text."

Url

No

A URL to link to general remediation information for the finding type of a finding.

This URL must not require credentials to access. It must be accessible from the public internet and must not expect any context or session.

Type: URL

Example:

"Url": "http://myfp.com/recommendations/example_domain.html"

Resources

The Resources object provides information about the resources involved in a finding.

Type: Array of up to 32 resource objects

Example

"Resources": [ { "Type": "AwsEc2Instance", "Id": "i-cafebabe", "Partition": "aws", "Region": "us-west-2", "Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": "true" }, "Details": { "AwsEc2Instance": { "Type": "i3.xlarge", "ImageId": "ami-abcd1234", "IpV4Addresses": [ "54.194.252.215", "192.168.1.88" ], "IpV6Addresses": [ "2001:db8:1234:1a2b::123" ], "KeyName": "my_keypair", "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/AdminRole", "VpcId": "vpc-11112222", "SubnetId": "subnet-56f5f633", "LaunchedAt": "2018-05-08T16:46:19.000Z" } } } ]

Each resource object can have the following attributes.

Attribute

Required

Description

Details

No

This field provides additional details about a single resource using the appropriate subfields.

Each resource must be provided in a separate resource object in the Resources field.

Security Hub provides a set of available subfields for its supported resource types. These subfields correspond to values of the resource Type. Use the provided types and subfields whenever possible.

For example, if the resource is an S3 bucket, then set the resource Type to AwsS3Bucket, and provide the resource details in the AwsS3Bucket subfield.

The Other subfield allows you to provide custom fields and values. You use the Other subfield in the following cases.

  • The resource type (the value of the resource Type) does not have a corresponding subfield. To provide details for the resource, you use the Other details subfield.

  • The subfield for the resource type does not include all of the fields you want to populate. In this case, use the subfield for the resource type to populate the available fields. Use the Other subfield to populate the fields that are not in the type-specific subfield.

  • The resource type is not one of the provided types. In this case, set the resource Type to Other, and use the Other details subfield to populate the details.

Type: Object

Example:

"Details": { "AwsEc2Instance": { "Type": "i3.xlarge", "ImageId": "ami-abcd1234", "IpV4Addresses": [ "54.194.252.215", "192.168.1.88" ], "IpV6Addresses": [ "2001:db8:1234:1a2b::123" ], "KeyName": "my_keypair", "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/AdminRole", "VpcId": "vpc-11112222", "SubnetId": "subnet-56f5f633", "LaunchedAt": "2018-05-08T16:46:19.000Z" }, "AwsS3Bucket": { "OwnerId": "da4d66eac431652a4d44d490a00500bded52c97d235b7b4752f9f688566fe6de", "OwnerName": "acmes3bucketowner" }, "Other": [ { "Key": "LightPen", "Value": "blinky" }, { "Key": "SerialNo", "Value": "1234abcd" } ] }

Id

Yes

The canonical identifier for the given resource type.

For AWS resources that are identified by ARNs, this must be the ARN.

For all other AWS resource types that lack ARNs, this must be the identifier as defined by the AWS service that created the resource.

For non AWS resources, this should be a unique identifier that is associated with the resource.

Type: String (512 characters max) or ARN

Example:

"Id": "arn:aws:s3:::example-bucket"

Partition

No

The canonical AWS partition name that the Region is assigned to.

Type: Enum

Valid values:

Partition Description
aws Commercial
aws-cn China
aws-us-gov AWS GovCloud (US)

Example:

"Partition": "aws"

Region

No

The canonical AWS external Region name where this resource is located.

Type: String (16 characters max)

Example:

"Region": "us-west-2"

Tags

No

A list of AWS tags that are associated with a resource at the time the finding was processed. Include the Tags attribute only for resources that have an associated tag. If a resource has no associated tag, don't include a Tags attribute in the finding.

Type: Map of up to 50 tags (values are limited to 256 characters max)

The following basic restrictions apply to tags:

  • You can provide only tags that actually exist on an AWS resource in this field. To provide data for a resource type that isn't defined in the AWS Security Finding Format, use the Other details subfield.

  • Values are limited to alphanumeric characters, white space, +, -, =, ., _, :, /, and @.

  • Values are limited to the AWS tag value length of 256 characters max.

Example:

"Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": "true" }

Type

Yes

The type of the resource that you are providing details for.

Whenever possible, use one of the provided resource types, such as AwsEc2Instance or AwsS3Bucket.

If the resource type does not match any of the provided resource types, then set the resource Type to Other, and use the Other details subfield to populate the details.

Type: String (256 characters max)

Supported values are as follows. If a type has a corresponding subfield, then to view the details for the subfield, choose the type name.

Example:

"Type": "AwsS3Bucket"

AwsAutoScalingAutoScalingGroup

The AwsAutoScalingAutoScalingGroup object provides details about an automatic scaling group.

Example

"AwsAutoScalingAutoScalingGroup": { "CreatedTime": "2017-10-17T14:47:11Z", "HealthCheckGracePeriod": 300, "HealthCheckType": "EC2", "LaunchConfigurationName": "mylaunchconf", "LoadBalancerNames": [] }

The AwsAutoScalingAutoScalingGroup object can have the following attributes.

Attribute

Required

Description

CreatedTime

No

Indicates when the automatic scaling group was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

HealthCheckGracePeriod

No

The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before it checks the health status of an EC2 instance that has come into service.

Type: Integer

HealthCheckType

No

The service to use for the health checks.

Type: String (32 characters max)

Valid values: EC2 | ELB

LaunchConfigurationName

No

The name of the launch configuration.

Type: String (32 characters max)

LoadBalancerNames

No

The list of load balancers that are associated with the group.

Type: Array of strings

Each load balancer name is limited to 255 characters.

AwsCloudFrontDistribution

The AwsCloudFrontDistribution object provides details about a distribution configuration.

It can have the following attributes.

Attribute

Required

Description

DomainName

No

The domain name corresponding to the distribution.

Type: String

Etag

No

The entity tag is a hash of the object.

Type: String

LastModifiedTime

No

Indicates when the distribution was last modified.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Logging

No

A complex type that controls whether access logs are written for the distribution.

Type: Object

Origins

No

A complex type that contains information about origins and origin groups for this distribution.

Type: String

Status

No

Indicates the current status of the distribution.

Type: String

WebAclId

No

A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution.

Type: String

Logging

The Logging object provides information about the logging for the distribution.

It can have the following attributes.

Attribute

Required

Description

Bucket

No

The S3 bucket to store the access logs in.

Type: String

Enabled

No

With this field, you can enable or disable the selected distribution.

Type: Boolean

IncludeCookies

No

Specifies whether you want CloudFront to include cookies in access logs.

Type: Boolean

Prefix

No

An optional string that you want CloudFront to prefix to the access log file names for this distribution.

Type: String

Origins

The Origins object contains information about origins and origin groups for this distribution.

It can contain the following attributes.

Attribute

Required

Description

Items

No

A complex type that contains origins or origin groups for this distribution.

Type: Array of objects

Each item can have the following attributes.

Attribute

Required

Description

DomainName

No

Amazon S3 origins: The DNS name of the S3 bucket from which you want CloudFront to get objects for this origin.

Type: String

Id

No

A unique identifier for the origin or origin group.

Type: String

OriginPath

No

An optional element that causes CloudFront to request your content from a directory in your S3 bucket or your custom origin.

Type: String

AwsCodeBuildProject

The AwsCodeBuildProject object provides information about an AWS CodeBuild project.

Example

"AwsCodeBuildProject": { "EncryptionKey": "my-symm-key", "Environment": { "Type": "LINUX_CONTAINER", "Certificate": "myX509", "ImagePullCredentialsType": "CODEBUILD", "RegistryCredential": { "Credential": "my_dockerhub_secret", "CredentialProvider": "SECRETS_MANAGER" } }, "Name": "my-cd-project", "Source": { "Type": "CODECOMMIT", "Location": "https://git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo", "GitCloneDepth": 1 }, "ServiceRole": "arn:aws:iam:myrole", "VpcConfig": { "VpcId": "vpc-1234456", "Subnets": ["sub-12344566"], "SecurityGroupIds": ["sg-123456789012"] } }

The AwsCodeBuildProject object can have the following attributes.

Attribute

Required

Description

EncryptionKey

No

The AWS KMS customer master key (CMK) to be used for encrypting the build output artifacts.

Note

You can use a cross-account KMS key to encrypt the build output artifacts if your service role has permission to that key.

You can specify either the ARN of the CMK or, if available, the CMK alias (using the format alias/alias-name).

Type: String

Length constraints: Minimum length of 1

Environment

No

Information about the build environment for this build project.

Type: Object

Name

No

The name of the build project.

Type: String

Length constraints: Minimum length of 2. Maximum length of 255.

Pattern: [A-Za-z0-9][A-Za-z0-9\-_]{1,254}

ServiceRole

No

The ARN of the IAM role that enables CodeBuild to interact with dependent AWS services on behalf of the AWS account.

Type: String

Length constraints: Minimum length of 1

Source

No

Information about the build input source code for this build project.

Type: Object

VpcConfig

No

Information about the VPC configuration that CodeBuild accesses.

Type: Object

Environment

The Environment object provides information about the build environment for the build project.

It can have the following attributes.

Attribute

Required

Description

Certificate

No

The certificate to use with this build project.

Type: String

ImagePullCredentialsType

No

The type of credentials CodeBuild uses to pull images in your build. There are two valid values:

CODEBUILD specifies that CodeBuild uses its own credentials. This requires that you modify your ECR repository policy to trust the CodeBuild service principal.

SERVICE_ROLE specifies that CodeBuild uses your build project's service role.

When you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use a CodeBuild curated image, you must use CODEBUILD credentials.

Type: String

Valid values: CODEBUILD | SERVICE_ROLE

RegistryCredential

No

The credentials for access to a private registry.

Type: Object

Type

Yes

The type of build environment to use for related builds.

Type: String

Valid values: WINDOWS_CONTAINER | LINUX_CONTAINER | LINUX_GPU_CONTAINER | ARM_CONTAINER

Each registry credential in the RegistryCredentials object has the following attributes.

Attribute

Required

Description

Credential

Yes

The ARN or name of credentials created using AWS Secrets Manager.

Note

The credential can use the name of the credentials only if they exist in your current AWS Region.

Type: String

Length constraints: Minimum length of 1

CredentialProvider

Yes

The service that created the credentials to access a private Docker registry. The valid value, SECRETS_MANAGER, is for Secrets Manager.

Type: String

Valid values: SECRETS_MANAGER

Source

The Source object provides information about the build input source code for this build project.

It can have the following attributes.

Attribute

Required

Description

GitCloneDepth

No

Information about the Git clone depth for the build project.

Type: Integer

Valid range: Minimum value of 0

Location

No

Information about the location of the source code to be built.

Type: String

Valid values:

  • For source code settings that are specified in the source action of a pipeline in AWS CodePipeline, location should not be specified. If it is specified, CodePipeline ignores it. This is because CodePipeline uses the settings in a pipeline's source action instead of this value.

  • For source code in an AWS CodeCommit repository, the HTTPS clone URL to the repository that contains the source code and the buildspec file (for example, https://git-codecommit.region-ID.amazonaws.com/v1/repos/repo-name ).

  • For source code in an S3 input bucket, one of the following.

    • The path to the ZIP file that contains the source code (for example, bucket-name/path/to/object-name.zip).

    • The path to the folder that contains the source code (for example, bucket-name/path/to/source-code/folder/).

  • For source code in a GitHub repository, the HTTPS clone URL to the repository that contains the source and the buildspec file.

  • For source code in a Bitbucket repository, the HTTPS clone URL to the repository that contains the source and the buildspec file.

Type

Yes

The type of repository that contains the source code to be built.

Type: String

Valid values:

  • BITBUCKET ‐ The source code is in a Bitbucket repository.

    CODECOMMIT ‐ The source code is in aCodeCommit repository.

    CODEPIPELINE ‐ The source code settings are specified in the source action of a pipeline in CodePipeline.

    GITHUB ‐ The source code is in a GitHub repository.

    GITHUB_ENTERPRISE ‐ The source code is in a GitHub Enterprise repository.

    NO_SOURCE ‐ The project does not have input source code.

    S3 ‐ The source code is in an Amazon S3 input bucket.

VpcConfig

The VpcConfig object provides information about the VPC configuration that CodeBuild accesses.

It can have the following attributes.

Attribute

Required

Description

SecurityGroupIds

No

A list of one or more security group IDs in your Amazon VPC.

Type: Array of strings

Array members: Maximum number of 5 items

Length constraints: Minimum length of 1

Subnets

No

A list of one or more subnet IDs in your Amazon VPC.

Type: Array of strings

Array members: Maximum number of 16 items

Length constraints: Minimum length of 1

VpcId

No

The ID of the VPC.

Type: String

Length constraints: Minimum length of 1

AwsDynamoDbTable

The AwsDynamoDbTable object provides details about a DynamoDB table.

Example

"AwsDynamoDbTable": { "AttributeDefinitions": [ { "AttributeName": "attribute1", "AttributeType": "value 1" }, { "AttributeName": "attribute2", "AttributeType": "value 2" }, { "AttributeName": "attribute3", "AttributeType": "value 3" } ], "BillingModeSummary": { "BillingMode": "PAY_PER_REQUEST", "LastUpdateToPayPerRequestDateTime": "2019-12-03T15:23:10.323Z" }, "CreationDateTime": "2019-12-03T15:23:10.248Z", "GlobalSecondaryIndexes": [ { "Backfilling": false, "IndexArn": "arn:aws:dynamodb:us-west-2:111122223333:table/exampleTable/index/exampleIndex", "IndexName": "standardsControlArnIndex", "IndexSizeBytes": 1862513, "IndexStatus": "ACTIVE", "ItemCount": 20, "KeySchema": [ { "AttributeName": "City", "KeyType": "HASH" }, { "AttributeName": "Date", "KeyType": "RANGE" } ], "Projection": { "NonKeyAttributes": ["predictorName"], "ProjectionType": "ALL" }, "ProvisionedThroughput": { "LastIncreaseDateTime": "2019-03-14T13:21:00.399Z", "LastDecreaseDateTime": "2019-03-14T12:47:35.193Z", "NumberOfDecreasesToday": 0, "ReadCapacityUnits": 100, "WriteCapacityUnits": 50 }, } ], "GlobalTableVersion": "V1", "ItemCount": 2705, "KeySchema": [ { "AttributeName": "zipcode", "KeyType": "HASH" } ], "LatestStreamArn": "arn:aws:dynamodb:us-west-2:111122223333:table/exampleTable/stream/2019-12-03T23:23:10.248", "LatestStreamLabel": "2019-12-03T23:23:10.248", "LocalSecondaryIndexes": [ { "IndexArn": "arn:aws:dynamodb:us-east-1:111122223333:table/exampleGroup/index/exampleId", "IndexName": "CITY_DATE_INDEX_NAME", "KeySchema": [ { "AttributeName": "zipcode", "KeyType": "HASH" } ], "Projection": { "NonKeyAttributes": ["predictorName"], "ProjectionType": "ALL" }, } ], "ProvisionedThroughput": { "LastIncreaseDateTime": "2019-03-14T13:21:00.399Z", "LastDecreaseDateTime": "2019-03-14T12:47:35.193Z", "NumberOfDecreasesToday": 0, "ReadCapacityUnits": 100, "WriteCapacityUnits": 50 }, "Replicas": [ { "GlobalSecondaryIndexes":[ { "IndexName": "CITY_DATE_INDEX_NAME", "ProvisionedThroughputOverride": { "ReadCapacityUnits": 10 } } ], "KmsMasterKeyId" : "KmsMasterKeyId" "ProvisionedThroughputOverride": { "ReadCapacityUnits": 10 }, "RegionName": "regionName", "ReplicaStatus": "CREATING", "ReplicaStatusDescription": "replicaStatusDescription" } ], "RestoreSummary" : { "SourceBackupArn": "arn:aws:dynamodb:us-west-2:111122223333:table/exampleTable/backup/backup1", "SourceTableArn": "arn:aws:dynamodb:us-west-2:111122223333:table/exampleTable", "RestoreDateTime": "2020-06-22T17:40:12.322Z", "RestoreInProgress": true }, "SseDescription": { "InaccessibleEncryptionDateTime": "2018-01-26T23:50:05.000Z", "Status": "ENABLED", "SseType": "KMS", "KmsMasterKeyArn": "arn:aws:kms:us-east-1:111122223333:key/key1" }, "StreamSpecification" : { "StreamEnabled": true, "StreamViewType": "NEW_IMAGE" }, "TableId": "example-table-id-1", "TableName": "example-table", "TableSizeBytes": 1862513, "TableStatus": "ACTIVE" }

It can have the following attributes.

Attribute

Required

Description

AttributeDefinitions

No

A list of attribute definitions for the table.

Type: Array of objects.

BillingModeSummary

No

Information about the billing for read/write capacity on the table.

Type: Object

CreationDateTime

No

Indicates when the table was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"CreationDateTime": "2020-06-22T17:40:12.322Z"

GlobalSecondaryIndexes

No

List of global secondary indexes for the table.

Type: Array of objects

GlobalTableVersion

No

The version of global tables being used.

Type: String

ItemCount

No

The number of items in the table.

Type: Number

KeySchema

No

The primary key structure for the table.

Type: Array of objects

LatestStreamArn

No

The ARN of the latest stream for the table.

Type: String

LatestStreamLabel

No

The label of the latest stream. The label is not a unique identifier.

Type: String

LocalSecondaryIndexes

No

The list of local secondary indexes for the table.

Type: Array of objects

ProvisionedThroughput

No

Information about the provisioned throughput for the table.

Type: Object

Replicas

No

The list of replicas of this table.

Type: Array of objects

RestoreSummary

No

Information about the restore for the table.

Type: Object

SseDescription

No

Information about the server-side encryption for the table.

Type: Object

StreamSpecification

No

The current DynamoDB Streams configuration for the table.

Type: Object

TableId

No

The identifier of the table.

Type: String

TableName

No

The name of the table.

Type: String

Minimum length: 3

Maximum length: 255

TableSizeBytes

No

The total size of the table in bytes.

Type: Integer

TableStatus

No

The current status of the table.

Type: String

Valid values: CREATING | UPDATING | DELETING | ACTIVE | INACCESSIBLE_ENCRYPTION_CREDENTIALS | ARCHIVING | ARCHIVED

AttributeDefinitions

The AttributeDefinitions object contains a list of attribute definitions for the table.

It can have the following attributes.

Attribute

Required

Description

AttributeName

No

The name of the attribute.

Type: String

AttributeType

No

The type of the attribute.

Type: String

BillingModeSummary

The BillingModeSummary object provides information about the billing for read/write capacity on the table.

It can have the following attributes.

Attribute

Required

Description

BillingMode

No

The method used to charge for read and write throughput and to manage capacity.

Type: String

Valid values: PROVISIONED | PAY_PER_REQUEST

LastUpdateToPayPerRequestDateTime

No

If the billing mode is PAY_PER_REQUEST, indicates when the billing mode was set to that value.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"LastUpdateToPayPerRequestDateTime": "2020-06-22T17:40:12.322Z"
GlobalSecondaryIndexes

The GlobalSecondaryIndexes object contains a list of global secondary indexes for the table.

It can have the following attributes.

Attribute

Required

Description

Backfilling

No

Whether the index is currently backfilling.

Type: Boolean

IndexArn

No

The ARN of the index.

Type: String

IndexName

No

The name of the index.

Type: String

IndexSizeBytes

No

The total size in bytes of the index.

Type: Number

IndexStatus

No

The current status of the index.

Type: String

Valid values: CREATING | UPDATING | DELETING | ACTIVE

ItemCount

No

The number of items in the index.

Type: Number

KeySchema

No

The key schema for the index.

Type: Array of objects

Projection

No

Attributes that are copied from the table into an index.

Type: Object

ProvisionedThroughput

No

Information about the provisioned throughput settings for the indexes.

Type: Object

KeySchema

The KeySchema object contains the key schema for the table, a global secondary index, or a local secondary index.

Each component of the key schema can have the following attributes.

Attribute

Required

Description

AttributeName

No

The name of the attribute.

Type: String.

KeyType

No

The type of key used for the attribute.

Type: String

Valid values: HASH | RANGE

LocalSecondaryIndexes

LocalSecondaryIndexes can have the following attributes.

Attribute

Required

Description

IndexArn

No

The ARN of the index.

Type: String

IndexName

No

The name of the index.

Type: String

Minimum length: 3

Maximum length: 255

KeySchema

No

The complete key schema for the index.

Type: Array of objects

Projection

No

Attributes that are copied from the table into the index. These are in addition to the primary key attributes and index key attributes, which are automatically projected.

Type: Object

Projection (for global and local secondary indexes)

For global and local secondary indexes, the Projection object identifies the attributes that are copied from the table into the index.

It can have the following attributes.

Attribute

Required

Description

NonKeyAttributes

No

The nonkey attributes that are projected into the index. For each attribute, provide the attribute name.

Type: Array of strings

Maximum number of items: 20

Minimum length per attribute: 1

Maximum length per attribute: 225

ProjectionType

No

The types of attributes that are projected into the index.

Type: String

Valid values: ALL | KEYS_ONLY | INCLUDE

ProvisionedThroughput

The ProvisionedThroughput object contains information about the provisioned throughput for the table or for a global secondary index.

It can have the following attributes.

Attribute

Required

Description

LastDecreaseDateTime

No

Indicates when the provisioned throughput was last decreased.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"LastDecreaseDateTime": "2020-06-22T17:40:12.322Z"

LastIncreaseDateTime

No

Indicates when the provisioned throughput was last increased.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"LastIncreaseDateTime": "2020-06-22T17:40:12.322Z"

NumberOfDecreasesToday

No

The number of times during the current UTC calendar day that the provisioned throughput was decreased.

Type: Number

ReadCapacityUnits

No

The maximum number of strongly consistent reads consumed per second before DynamoDB returns a ThrottlingException.

Type: Number

WriteCapacityUnits

No

The maximum number of writes consumed per second before DynamoDB returns a ThrottlingException.

Type: Number

Replicas

The Replicas object contains the list of replicas of this table.

Each replica can have the following attributes.

Attribute

Required

Description

GlobalSecondaryIndexes

No

List of global secondary indexes for the replica.

Type: Array of objects

GlobalSecondaryIndexes.IndexName

No

The name of the index.

Type: String

GlobalSecondaryIndexes.ProvisionedThroughputOverride

No

Replica-specific configuration for the provisioned throughput for the index.

Type: Object

KmsMasterKeyID

No

The identifier of the AWS KMS customer master key (CMK) that will be used for AWS KMS encryption for the replica.

Type: String

ProvisionedThroughputOverride

No

Replica-specific configuration for the provisioned throughput.

Type: Object

RegionName

No

The name of the Region where the replica is located.

Type: String

ReplicaStatus

No

The current status of the replica.

Type: String

Valid values: CREATING | CREATION_FAILED | UPDATING | DELETING | ACTIVE

ReplicaStatusDescription

No

Detailed information about the replica status.

Type: String

The ProvisionedThroughputOverride object provides replica-specific configuration for the provisioned throughput for the table or the global secondary indexes.

It can have the following attributes.

Attribute

Required

Description

ReadCapacityUnits

No

The read capacity units for the replica.

Type: Number

Minimum value: 1

RestoreSummary

The RestoreSummary object provides information about the restore for the table.

It can have the following attributes.

Attribute

Required

Description

RestoreDateTime

No

Indicates the point in time that the table was restored to.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"RestoreDateTime": "2020-06-22T17:40:12.322Z"

RestoreInProgress

No

Whether a restore is currently in progress.

Type: Boolean

SourceBackupArn

No

The ARN of the source backup from which the table was restored.

Type: String

SourceTableArn

No

The ARN of the source table for the backup.

Type: String

SseDescription

The SseDescription object provides information about the server-side encryption for the table.

It can have the following attributes.

Attribute

Required

Description

InaccessibleEncryptionDateTime

No

If the key is inaccessible, the date and time when DynamoDB detected that the key was inaccessible.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"InaccessibleEncryptionDateTime": "2020-06-22T17:40:12.322Z"

KmsMasterKeyArn

No

The ARN of the AWS KMS customer master key (CMK) that is used for the AWS KMS encryption.

Type: String

SseType

No

The type of server-side encryption.

Type: String

Valid values: KMS

Status

No

The status of the server-side encryption.

Type: String

Valid values: ENABLED | UPDATING

StreamSpecification

The StreamSpecification object contains the current DynamoDB Streams configuration for the table.

It can have the following attributes.

Attribute

Required

Description

StreamEnabled

No

Indicates whether DynamoDB Streams is enabled on the table.

Type: Boolean

StreamViewType

No

Determines the information that is written to the table.

Type: String

Valid values: NEW_IMAGE | OLD_IMAGE | NEW_AND_OLD_IMAGES | KEYS_ONLY

AwsEc2Eip

The AwsEc2Eip object provides information about an Elastic IP address.

Example

"AwsEc2Eip": { "InstanceId": "instance1", "PublicIp": "192.0.2.04", "AllocationId": "eipalloc-example-id-1", "AssociationId": "eipassoc-example-id-1", "Domain": "vpc", "PublicIpv4Pool": "anycompany", "NetworkBorderGroup": "eu-central-1", "NetworkInterfaceId": "eni-example-id-1", "NetworkInterfaceOwnerId": "777788889999", "PrivateIpAddress": "192.0.2.03" }

The AwsEc2Eip object can have the following attributes.

Attribute

Required

Description

AllocationId

No

The identifier that AWS assigns to represent the allocation of the Elastic IP address for use with Amazon VPC.

Type: String

AssociationId

No

The identifier that represents the association of the Elastic IP address with an EC2 instance.

Type: String

Domain

No

The domain in which to allocate the address.

If the address is for use with EC2 instances in a VPC, then Domain is vpc. Otherwise, Domain is standard.

Type: String

Valid values: standard | vpc

InstanceId

No

The identifier of the EC2 instance.

Type: String

NetworkBorderGroup

No

The name of the location from which the Elastic IP address is advertised.

Type: String

NetworkInterfaceId

No

The identifier of the network interface.

Type: String

NetworkInterfaceOwnerId

No

The AWS account ID of the owner of the network interface.

Type: String

Format: Must be a 12-digit number.

PrivateIpAddress

No

The private IP address that is associated with the Elastic IP address.

Type: IPv4

PublicIp

No

A public IP address that is associated with the EC2 instance.

Type: IPv4

PublicIpv4Pool

No

The identifier of an IP address pool. This parameter allows Amazon EC2 to select an IP address from the address pool.

Type: String

AwsEc2Instance

The details of an Amazon EC2 instance.

Type: Object

The AwsEc2Instance object can have the following attributes.

Attribute

Required

Description

IamInstanceProfileArn

No

The IAM profile ARN of the instance.

Type: String (conforms to the AWS ARN format)

ImageId

No

The Amazon Machine Image (AMI) ID of the instance.

Type: String (64 characters max)

IpV4Addresses

No

The IPv4 addresses that are associated with the instance.

Type: Array of up to 10 IPv4 addresses

IpV6Addresses

No

The IPv6 addresses that are associated with the instance.

Type: Array of up to 10 IPv6 addresses

KeyName

No

The key name that is associated with the instance.

Type: String (128 characters max)

LaunchedAt

No

Indicates when the instance was launched.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

SubnetId

No

The identifier of the subnet where the instance was launched.

Type: String (32 characters max)

Type

No

The instance type of the instance. This must be a valid EC2 instance type.

Type: String (16 characters max)

VpcId

No

The identifier of the VPC where the instance was launched.

Type: String (32 characters max)

AwsEc2NetworkInterface

The AwsEc2NetworkInterface object provides information about an Amazon EC2 network interface.

Example

"AwsEc2NetworkInterface": { "Attachment": { "AttachTime": "2019-01-01T03:03:21Z", "AttachmentId": "eni-attach-43348162", "DeleteOnTermination": true, "DeviceIndex": 123, "InstanceId": "i-1234567890abcdef0", "InstanceOwnerId": "123456789012", "Status": 'ATTACHED' }, "SecurityGroups": [ { "GroupName": "my-security-group", "GroupId": "sg-903004f8" }, ], "NetworkInterfaceId": 'eni-686ea200', "SourceDestCheck": false }

The AwsEc2NetworkInterface object can have the following attributes.

Attribute

Required

Description

Attachment

No

Information about the network interface attachment.

Type: Object

NetworkInterfaceId

No

The ID of the network interface.

Type: String

SecurityGroups

No

Security groups for the network interface.

Type: Array of group objects

SourceDestCheck

No

Indicates whether traffic to or from the instance is validated.

Type: Boolean

Attachment

The Attachment object provides information about the network interface attachment.

It can have the following attributes.

Attribute

Required

Description

AttachmentId

No

The identifier of the network interface attachment

Type: String

AttachTime

No

Indicates when the attachment initiated.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

DeleteOnTermination

No

Indicates whether the network interface is deleted when the instance is terminated.

Type: Boolean

DeviceIndex

No

The device index of the network interface attachment on the instance.

Type: Integer

InstanceId

No

The ID of the instance.

Type: String

InstanceOwnerId

No

The AWS account ID of the owner of the instance.

Type: String

Status

No

The attachment state.

Type: String

Valid values: attaching | attached | detaching | detached

SecurityGroups

The SecurityGroups object contains the list of security groups for the network interface.

Each security group can have the following attributes.

Attribute

Required

Description

GroupId

No

The ID of the security group.

Type: String

GroupName

The name of the security group.

Type: String

AwsEc2SecurityGroup

The AwsEc2SecurityGroup object describes an Amazon EC2 security group.

Example

"AwsEc2SecurityGroup": { "GroupName": "MySecurityGroup", "GroupId": "sg-903004f8", "OwnerId": "123456789012", "VpcId": "vpc-1a2b3c4d", "IpPermissions": [ { "IpProtocol": "-1", "IpRanges": [], "UserIdGroupPairs": [ { "UserId": "123456789012", "GroupId": "sg-903004f8" } ], "PrefixListIds": [ {"PrefixListId": "pl-63a5400a"} ] }, { "PrefixListIds": [], "FromPort": 22, "IpRanges": [ { "CidrIp": "203.0.113.0/24" } ], "ToPort": 22, "IpProtocol": "tcp", "UserIdGroupPairs": [] } ] }

The AwsEc2SecurityGroup object can have the following attributes.

Attribute

Required

Description

GroupId

No

The ID of the security group.

Type: String

GroupName

No

The name of the security group.

Type: String

IpPermissions

No

The inbound rules that are associated with the security group.

Type: Array of IP permission objects

IpPermissionsEgress

No

[VPC only] The outbound rules that are associated with the security group.

Type: Array of IP permission objects

OwnerId

No

The AWS account ID of the owner of the security group.

Type: String

VpcId

No

[VPC only] The ID of the VPC for the security group.

Type: String

IP permission object

The IpPermissions and IpPermissionsEgress objects both contain an array of IP permission objects.

Each IP permission object can have the following attributes.

Attribute

Required

Description

FromPort

No

The start of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number.

A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Type: Integer

IpProtocol

No

The IP protocol name (tcp, udp, icmp, icmpv6) or number (see the protocol numbers list).

[VPC only] Use -1 to specify all protocols.

When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify.

For tcp, udp, and icmp, you must specify a port range.

For icmpv6, the port range is optional. If you omit the port range, traffic for all types and codes is allowed.

Type: String

IpRanges

No

The ranges of IP addresses.

Type: Array of IP range objects

PrefixListIds

No

[VPC only] The prefix list IDs for an AWS service. With outbound rules, this is the AWS service to access through a VPC endpoint from instances that are associated with the security group.

Type: Array of prefix list ID objects

ToPort

No

The end of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code.

A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Type: Integer

UserIdGroupPairs

No

The security group and AWS account ID pairs.

Type: Array of user ID group pair objects

Each entry in the IpRanges array can have the following attributes.

Attribute

Required

Description

CidrIp

No

A range of IP addresses.

You can either specify a CIDR range or a source security group, but not both.

To specify a single IPv4 address, use the /32 prefix length.

To specify a single IPv6 address, use the /128 prefix length.

Type: String

Each entry in the PrefixListIds array can have the following attributes.

Attribute

Required

Description

PrefixListId

No

The ID of the prefix.

Type: String

Each entry in the UserIdGroupPairs array can have the following attributes.

Attribute

Required

Description

GroupId

No

The ID of the security group.

Type: String

UserId

No

The ID of an AWS account.

For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

[Amazon EC2-Classic] Required when adding or removing rules that reference a security group in another AWS account.

Type: String

AwsEc2Volume

The AwsEc2Volume object provides details about an EC2 volume.

Example

"AwsEc2Volume": { "Attachments": [ { "AttachTime": "2017-10-17T14:47:11Z", "DeleteOnTermination": true, "InstanceId": "i-123abc456def789g", "Status": "attached" } ], "CreateTime": "2020-02-24T15:54:30Z", "Encrypted": true, "KmsKeyId": "arn:aws:kms:us-east-1:111122223333:key/wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Size": 80, "SnapshotId": "", "Status": "available" }

The AwsEc2Volume object can have the following attributes.

Attribute

Required

Description

Attachments

No

The volume attachments.

Type: Array of objects

CreateTime

No

Indicates when the volume was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Encrypted

No

Whether the volume is encrypted.

Type: Boolean

KmsKeyId

No

The ARN of the AWS KMS customer master key (CMK) that was used to protect the volume encryption key for the volume.

Type: String

Size

No

The size of the volume, in GiBs.

Type: Integer

SnapshotId

No

The snapshot from which the volume was created.

Type: String

Status

No

The volume state.

Type: String

Valid values: creating | available | in-use | deleting | deleted | error

Attachments

The Attachments object contains the set of attachments for the EC2 volume. Each attachment can have the following attributes.

Attribute

Required

Description

AttachTime

No

The date and time when the attachment initiated.

Type: String (timestamp)

Format: yyyy-MM-ddTHH:mm:ssZ

DeleteOnTermination

No

Whether the EBS volume is deleted when the EC2 instance is terminated.

Type: Boolean

InstanceId

No

The identifier of the EC2 instance.

Type: String

Status

No

The attachment state of the volume.

Type: String

Valid values: attaching | attached | detaching | detached | busy

AwsEc2Vpc

The AwsEc2Vpc object provides details about an EC2 virtual private cloud (VPC).

Example

"AwsEc2Vpc": { "CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-0dc4c852f52abda97", "CidrBlock": "192.0.2.0/24", "CidrBlockState": "associated" } ], "DhcpOptionsId": "dopt-4e42ce28", "Ipv6CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-0dc4c852f52abda97", "CidrBlockState": "associated", "Ipv6CidrBlock": "192.0.2.0/24" } ], "State": "available" }

The AwsEc2Vpc object can have the following attributes.

Attribute

Required

Description

CidrBlockAssociationSet

No

Information about the IPv4 CIDR blocks that are associated with the VPC.

Type: Array of objects

DhcpOptionsId

No

The identifier of the set of Dynamic Host Configuration Protocol (DHCP) options that are associated with the VPC. If the default options are associated with the VPC, then this is default.

Type: String (32 characters max)

IpV6CidrBlockAssociationSet

No

Information about the IPv6 CIDR blocks that are associated with the VPC.

Type: Array of objects.

State

No

The current state of the VPC.

Type: String (32 characters max)

Valid values: pending | available

CidrBlockAssociationSet

The CidrBlockAssociationSet object provides a list of IPV4 CIDR block associations.

Each CIDR block association can contain the following attributes.

Attribute

Required

Description

AssociationId

No

The association ID for the IPv4 CIDR block.

Type: String (32 characters max)

CidrBlock

No

The IPv4 CIDR block.

Type: CIDR IPV4

CidrBlockState

No

Information about the state of the CIDR block.

Type: String (32 characters max)

IpV6CidrBlockAssociationSet

The IPV6CidrBlockAssociationSet object provides a list of IPV6 CIDR block associations.

Each CIDR block association can contain the following attributes.

Attribute

Required

Description

Associationid

No

The association ID for the IPv6 CIDR block.

Type: String (32 characters max)

CidrBlockState

No

Information about the state of the CIDR block.

Type: String (32 characters max)

IpV6CidrBlock

No

The IPv6 CIDR block.

Type: CIDR IPV6

AwsElasticSearchDomain

The AwsElasticSearchDomain object provides details about an Elasticsearch domain.

It can have the following attributes.

Attribute

Required

Description

AccessPolicies

No

IAM policy document specifying the access policies for the new Amazon ES domain.

Type: String

DomainEndpointOptions

No

Additional options for the domain endpoint.

Type: Object

DomainStatus

No

Details about the domain status.

Type: Object

ElasticsearchVersion

No

Elasticsearch version.

Type: String

EncryptionAtRestOptions

No

Details about the configuration for encryption at rest.

Type: Object

NodeToNodeEncryptionOptions

No

Details about the configuration for node-to-node encryption.

Type: Object

VPCOptions

No

Information that Amazon ES derives based on VPCOptions for the domain.

Type: Object

DomainEndpointOptions

The DomainEndpointOptions object provides information about additional options for the domain endpoint.

It can have the following attributes.

Attribute

Required

Description

EnforceHTTPS

No

Whether to require that all traffic to the domain arrive over HTTPS.

Type: Boolean

TLSSecurityPolicy

No

The TLS security policy to apply to the HTTPS endpoint of the Elasticsearch domain.

Type: String

Valid values:

  • Policy-Min-TLS-1-0-2019-07, which supports TLSv1.0 and higher

  • Policy-Min-TLS-1-2-2019-07, which only supports TLSv1.2

DomainStatus

The DomainStatus object provides details about the domain status.

It can have the following attributes.

Attribute

Required

Description

DomainId

No

Unique identifier for an Amazon ES domain.

Type: String

DomainName

No

Name of an Amazon ES domain.

Domain names are unique across all domains owned by the same account within an AWS Region.

Domain names must start with a lowercase letter and must be between 3 and 28 characters.

Valid characters are a-z (lowercase only), 0-9, and – (hyphen).

Type: String

Endpoint

No

Domain-specific endpoint used to submit index, search, and data upload requests to an Amazon ES domain.

The endpoint is a service URL.

Type: String

Endpoints

No

The key-value pair that exists if the Amazon ES domain uses VPC endpoints.

Type: Map of key-value pairs

Example:

"vpc": "<VPC_ENDPOINT>"
EncryptionAtRestOptions

The EncryptionAtRestOptions object provides details about the configuration for encryption at rest.

It can have the following attributes.

Attribute

Required

Description

Enabled

No

Whether encryption at rest is enabled.

Type: Boolean

KmsKeyId

No

The AWS KMS key ID. Takes the form 1a2a3a4-1a2a-3a4a-5a6a-1a2a3a4a5a6a.

Type: String

NodeToNodeEncryptionOptions

The NodeToNodeEncryptionOptions object provides details about the configuration for node-to-node encryption.

It can have the following attributes.

Attribute

Required

Description

Enabled

No

Whether node-to-node encryption is enabled.

Type: Boolean

VpcOptions

The VpcOptions object contains information that Amazon ES derives based on the VPCOptions for the domain.

It can have the following attributes.

Attribute

Required

Description

AvailabilityZones

No

The list of Availability Zones that are associated with the VPC subnets.

Type: Array of strings

SecurityGroupIds

No

The list of security group IDs that are associated with the VPC endpoints for the domain

Type: Array of strings.

SubnetIds

No

A list of subnet IDs that are associated with the VPC endpoints for the domain.

Type: Array of strings

VPCId

No

ID for the VPC.

Type: String

AwsElbv2LoadBalancer

The AwsElbv2LoadBalancer object provides information about a load balancer.

It can have the following attributes.

Attribute

Required

Description

AvailabilityZones

No

The Availability Zones for the load balancer.

Type: Object

CanonicalHostedZoneId

No

The ID of the Amazon Route 53 hosted zone that is associated with the load balancer.

Type: String

CreatedTime

No

Indicates when the load balancer was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

DNSName

No

The public DNS name of the load balancer.

Type: String

IpAddressType

No

The type of IP addresses used by the subnets for your load balancer.

The possible values are ipv4 (for IPv4 addresses) and dualstack (for IPv4 and IPv6 addresses).

Type: String

Scheme

No

The nodes of an Internet-facing load balancer have public IP addresses.

Type: String

SecurityGroups

No

The IDs of the security groups for the load balancer.

Type: Array of strings

State

No

The state of the load balancer.

Type: Object

Type

No

The type of load balancer.

Type: String

VpcId

No

The ID of the VPC for the load balancer.

Type: String

AvailabilityZones

Specifies the Availability Zones for the load balancer.

Each Availability Zone can have the following attributes.

Attribute

Required

Description

SubnetId

No

The ID of the subnet.

Type: String

ZoneName

No

The name of the Availability Zone.

Type: String

State

Information about the state of the load balancer.

The State object can have the following attributes.

Attribute

Required

Description

Code

No

The state code.

The initial state of the load balancer is provisioning.

After the load balancer is fully set up and ready to route traffic, its state is active.

If the load balancer could not be set up, its state is failed.

Type: String

Reason

No

A description of the state.

Type: String

AwsIamAccessKey

The AwsIamAccessKey object contains details about an IAM access key that is related to a finding.

The AwsIamAccessKey object can have the following attributes.

Attribute

Required

Description

CreatedAt

No

Indicates when the related IAM access key was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

PrincipalId

No

The ID of the principal that is associated with an access key.

Type: String

PrincipalName

No

The name of the principal.

Type: String

PrincipalType

No

The type of principal.

Type: String

Status

No

The status of the IAM access key that is related to a finding. Valid values are ACTIVE and INACTIVE.

Type: Enum

AwsIamPolicy

The AwsIamPolicy object represents an IAM permissions policy.

Example

"AwsIamPolicy": { "AttachmentCount": 1, "CreateDate": "2017-09-14T08:17:29.000Z", "DefaultVersionId": "v1", "Description": "Example IAM policy", "IsAttachable": true, "Path": "/", "PermissionsBoundaryUsageCount": 5, "PolicyId": "ANPAJ2UCCR6DPCEXAMPLE", "PolicyName": "EXAMPLE-MANAGED-POLICY", "PolicyVersionList": [ { "VersionId": "v1", "IsDefaultVersion": true, "CreateDate": "2017-09-14T08:17:29.000Z" } ], "UpdateDate": "2017-09-14T08:17:29.000Z" }

It can have the following attributes.

Attribute

Required

Description

AttachmentCount

No

The number of users, groups, and roles that the policy is attached to.

Type: Number

CreateDate

No

When the policy was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"CreateDate": "2020-06-22T17:40:12.322Z"

DefaultVersionId

No

The identifier of the default version of the policy.

Type: String

Description

No

A description of the policy.

Type: String

Maximum length: 1000 characters

IsAttachable

No

Whether the policy can be attached to a user, group, or role.

Type: Boolean

Path

No

The path to the policy.

Type: String

Minimum length: 1

Maximum length: 512

For more information about paths, see IAM Identifiers in the IAM User Guide.

PermissionsBoundaryUsageCount

No

The number of users and roles that use the policy to set the permissions boundary.

Type: Number

PolicyId

No

The unique identifier of the policy.

Type: String

Minimum length: 16

Maximum length: 128

PolicyName

No

The name of the policy.

Type: String

Minimum length: 1

Maximum length: 128

PolicyVersionList

No

List of versions of the policy.

Type: Array of objects

UpdateDate

No

When the policy was most recently updated.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"UpdateDate": "2020-06-22T17:40:12.322Z"
PolicyVersionList

The PolicyVersionList object contains a list of versions of the IAM policy.

Each version can have the following attributes.

Attribute

Required

Description

CreateDate

No

Indicates when the version was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"CreateDate": "2020-06-22T17:40:12.322Z"

IsDefaultVersion

No

Whether the version is the default version.

Type: Boolean

VersionId

No

The identifier of the policy version.

Type: String

AwsIamRole

The AwsIamRole object contains information about an IAM role, including all of the role's policies.

The AwsIamRole object can have the following attributes.

Attribute

Required

Description

AssumeRolePolicyDocument

No

The trust policy that grants permission to assume the role.

Type: String

CreateDate

No

Indicates when the role was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

RoleId

No

The stable and unique string identifying the role.

Type: String

RoleName

No

The friendly name that identifies the role.

Type: String

MaxSessionDuration

No

The maximum session duration (in seconds) that you want to set for the specified role.

Type: Integer

Path

No

The path to the role.

Type: String

AwsIamUser

The AwsIamUser object provides information about an IAM user.

Example

"AwsIamUser": { "AttachedManagedPolicies": [ { "PolicyName": "ExamplePolicy", "PolicyArn": "arn:aws:iam::aws:policy/ExampleAccess" } ], "CreateDate": "2018-01-26T23:50:05.000Z", "GroupList": [], "Path": "/", "PermissionsBoundary" : { "PermissionsBoundaryArn" : "arn:aws:iam::aws:policy/AdministratorAccess", "PermissionsBoundaryType" : "PermissionsBoundaryPolicy" }, "UserId": "AIDACKCEVSQ6C2EXAMPLE", "UserName": "ExampleUser", "UserPolicyList": [ { "PolicyName": "InstancePolicy" } ] }

It can have the following attributes.

Attribute

Required

Description

AttachedManagedPolicies

No

A list of the managed policies that are attached to the user.

Type: Array of objects

CreateDate

No

Indicates when the user was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Example:

"CreateDate": "2020-06-22T17:40:12.322Z"

GroupList

No

A list of IAM groups that the user belongs to.

Type: Array of strings

Minimum length: 1

Maximum length: 128

Path

No

The path to the user.

Type: String

Minimum length: 1

Maximum length: 512

PermissionsBoundary

No

The permissions boundary for the user.

Type: Object

UserId

No

The unique identifier for the user.

Type: String

Minimum length: 16

Maximum length: 128

UserName

No

The name of the user.

Type: String

Minimum length: 1

Maximum length: 64

UserPolicyList

No

The list of inline policies that are embedded in the user.

Type: Array of objects

AttachedManagedPolicies

The AttachedManagedPolicies object contains the list of managed policies that are attached to the IAM user.

Each policy can have the following attributes.

Attribute

Required

Description

PolicyArn

No

The ARN of the policy.

Type: String

PolicyName

No

The name of the policy.

Type: String

PermissionsBoundary

The PermissionsBoundary object contains information about the policy used to set the permissions boundary for the user.

It can have the following attributes.

Attribute

Required

Description

PermissionsBoundaryArn

No

The ARN of the policy used to set the permissions boundary for the user.

Type: String

Minimum length: 20

Maximum length: 2,048

PermissionsBoundaryType

No

The usage type for the permissions boundary.

Type: String

The value must be PermissionsBoundaryPolicy.

UserPolicyList

The UserPolicyList object contains the list of inline policies that are embedded in the user.

Each policy can have the following attributes.

Attribute

Required

Description

PolicyName

No

The name of the policy.

Type: String

Minimum length: 1

Maximum length: 128

AwsKmsKey

The AwsKmsKey object provides details about an AWS KMS customer master key (CMK).

The AwsKmsKey object can have the following attributes.

Attribute

Required

Description

AWSAccountId

No

The AWS account identifier of the account that owns the CMK.

Type: String

CreationDate

No

Indicates when the CMK was created.

Type: String

Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces.

Description

No

A description of the key.

Type: String

KeyId

Yes

The globally unique identifier for the CMK.

Type: String

The minimum length is 1. The maximum length is 2048.

KeyManager

No

The manager of the CMK. CMKs in an AWS account are either customer managed or AWS managed.

Type: String

Valid values: AWS | CUSTOMER.

KeyState

No

The state of the CMK.

Type: String

Valid values: Enabled | Disabled | PendingDeletion | PendingImport | Unavailable

Origin

No

The source of the CMK's key material.

When this value is AWS_KMS, AWS KMS created the key material.

When this value is EXTERNAL, either the key material was imported from your existing key management infrastructure, or the CMK lacks key material.

When this value is AWS_CLOUDHSM, the key material was created in the AWS CloudHSM cluster that is associated with a custom key store.

Type: String

Valid values: AWS_KMS | EXTERNAL | AWS_CLOUDHSM

AwsLambdaFunction

The AwsLambdaFunction object provides details about a Lambda function's configuration.

It can have the following attributes.

Attribute

Required

Description

Code

No

An AwsLambdaFunctionCode object.

Type: Object

CodeSha256

No

The SHA256 hash of the function's deployment package.

Type: String

DeadLetterConfig

No

The function's dead letter queue.

Type: Object

Environment

No

A function's environment variable settings.

Type: Object

FunctionName

No

The name of the function.

Type: String

Handler

No

The function that Lambda calls to begin running your function.

Type: String

KmsKeyArn

No

The AWS KMS key that's used to encrypt the function's environment variables. This key is only returned if you've configured a customer managed CMK.

Type: String

LastModified

No

The date and time that the function was last updated, in ISO-8601 format (YYYY-MM-DDThh:mm:ss.sTZD).

Type: String

Layers

No

The function's layers.

Type: Object

MasterArn

No

For Lambda@Edge functions, the ARN of the master function.

Type: String

MemorySize

No

The memory that is allocated to the function.

Type: Integer

RevisionId

No

The latest updated revision of the function or alias.

Type: String

Role

No

The function's execution role.

Type: String

Runtime

No

The runtime environment for the Lambda function.

Type: String

Timeout

No

The amount of time that Lambda allows a function to run before stopping it.

Type: Integer

TracingConfig

No

The function's AWS X-Ray tracing configuration.

Type: Object

Version

No

The version of the Lambda function.

Type: String

VpcConfig

No

The function's networking configuration.

Type: Object

Code

An AwsLambdaFunctionCode object.

The Code object can have the following attributes.

Attribute

Required

Description

S3Bucket

No

An S3 bucket in the same AWS Region as your function. The bucket can be in a different AWS account.

Type: String

S3Key

No

The Amazon S3 key of the deployment package.

Type: String

S3ObjectVersion

No

For versioned objects, the version of the deployment package object to use.

Type: String

ZipFile

No

The base64-encoded contents of the deployment package. AWS SDK and AWS CLI clients handle the encoding for you.

Type: String

DeadLetterConfig

Contains information about the Lambda function's dead letter queue.

The DeadLetterConfig object can have the following attributes.

Attribute

Required

Description

TargetArn

No

The Amazon Resource Name (ARN) of the Amazon SQS queue or Amazon SNS topic containing the dead letter queue.

Type: String

Environment

Contains the Lambda function's environment variable settings.

The Environment object can have the following attributes.

Attribute

Required

Description

Variables

No

Environment variable key-value pairs.

Type: String to string map

Error

No

Error messages for environment variables that couldn't be applied.

Type: Object

The Error object can have the following attributes.

Attribute

Required

Description

ErrorCode

No

The error code.

Type: String

Message

No

The error message.

Type: String

Layers

The Lambda function's layers.

Each layer object can have the following attributes.

Attribute

Required

Description

Arn

No

The ARN of the function layer.

Type: String

CodeSize

No

The size of the layer archive in bytes.

Type: Integer

TracingConfig

Contains the function's AWS X-Ray tracing configuration.

The TracingConfig object can have the following attributes.

Attribute

Required

Description

Mode

No