create-mitigation-action¶
Description¶
Defines an action that can be applied to audit findings by using StartAuditMitigationActionsTask. Each mitigation action can apply only one type of change.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
Synopsis¶
create-mitigation-action
--action-name <value>
--role-arn <value>
--action-params <value>
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--cli-auto-prompt <value>]
Options¶
--action-name (string)
A friendly name for the action. Choose a friendly name that accurately describes the action (for example,
EnableLoggingAction).
--role-arn (string)
The ARN of the IAM role that is used to apply the mitigation action.
--action-params (structure)
Defines the type of action and the parameters for that action.
updateDeviceCertificateParams -> (structure)
Parameters to define a mitigation action that changes the state of the device certificate to inactive.
action -> (string)
The action that you want to apply to the device cerrtificate. The only supported value is
DEACTIVATE.updateCACertificateParams -> (structure)
Parameters to define a mitigation action that changes the state of the CA certificate to inactive.
action -> (string)
The action that you want to apply to the CA cerrtificate. The only supported value is
DEACTIVATE.addThingsToThingGroupParams -> (structure)
Parameters to define a mitigation action that moves devices associated with a certificate to one or more specified thing groups, typically for quarantine.
thingGroupNames -> (list)
The list of groups to which you want to add the things that triggered the mitigation action. You can add a thing to a maximum of 10 groups, but you cannot add a thing to more than one group in the same hierarchy.
(string)
overrideDynamicGroups -> (boolean)
Specifies if this mitigation action can move the things that triggered the mitigation action even if they are part of one or more dynamic things groups.
replaceDefaultPolicyVersionParams -> (structure)
Parameters to define a mitigation action that adds a blank policy to restrict permissions.
templateName -> (string)
The name of the template to be applied. The only supported value is
BLANK_POLICY.enableIoTLoggingParams -> (structure)
Parameters to define a mitigation action that enables AWS IoT logging at a specified level of detail.
roleArnForLogging -> (string)
The ARN of the IAM role used for logging.
logLevel -> (string)
Specifies the types of information to be logged.
publishFindingToSnsParams -> (structure)
Parameters to define a mitigation action that publishes findings to Amazon SNS. You can implement your own custom actions in response to the Amazon SNS messages.
topicArn -> (string)
The ARN of the topic to which you want to publish the findings.
Shorthand Syntax:
updateDeviceCertificateParams={action=string},updateCACertificateParams={action=string},addThingsToThingGroupParams={thingGroupNames=[string,string],overrideDynamicGroups=boolean},replaceDefaultPolicyVersionParams={templateName=string},enableIoTLoggingParams={roleArnForLogging=string,logLevel=string},publishFindingToSnsParams={topicArn=string}
JSON Syntax:
{
"updateDeviceCertificateParams": {
"action": "DEACTIVATE"
},
"updateCACertificateParams": {
"action": "DEACTIVATE"
},
"addThingsToThingGroupParams": {
"thingGroupNames": ["string", ...],
"overrideDynamicGroups": true|false
},
"replaceDefaultPolicyVersionParams": {
"templateName": "BLANK_POLICY"
},
"enableIoTLoggingParams": {
"roleArnForLogging": "string",
"logLevel": "DEBUG"|"INFO"|"ERROR"|"WARN"|"DISABLED"
},
"publishFindingToSnsParams": {
"topicArn": "string"
}
}
--tags (list)
Metadata that can be used to manage the mitigation action.
(structure)
A set of key/value pairs that are used to manage the resource.
Key -> (string)
The tag’s key.
Value -> (string)
The tag’s value.
Shorthand Syntax:
Key=string,Value=string ...
JSON Syntax:
[
{
"Key": "string",
"Value": "string"
}
...
]
--cli-input-json | --cli-input-yaml (string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.
--generate-cli-skeleton (string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.
--cli-auto-prompt (boolean)
Automatically prompt for CLI input parameters.
See ‘aws help’ for descriptions of global parameters.
Examples¶
To create a mitigation action
The following create-mitigation-action example defines a mitigation action named AddThingsToQuarantineGroup1Action that, when applied, moves things into the thing group named QuarantineGroup1. This action overrides dynamic thing groups.
aws iot create-mitigation-action --cli-input-json file::params.json
Contents of params.json:
{
"actionName": "AddThingsToQuarantineGroup1Action",
"actionParams": {
"addThingsToThingGroupParams": {
"thingGroupNames": [
"QuarantineGroup1"
],
"overrideDynamicGroups": true
}
},
"roleArn": "arn:aws:iam::123456789012:role/service-role/MoveThingsToQuarantineGroupRole"
}
Output:
{
"actionArn": "arn:aws:iot:us-west-2:123456789012:mitigationaction/AddThingsToQuarantineGroup1Action",
"actionId": "992e9a63-a899-439a-aa50-4e20c52367e1"
}
For more information, see CreateMitigationAction (Mitigation Action Commands) in the AWS IoT Developer Guide.
Output¶
actionArn -> (string)
The ARN for the new mitigation action.
actionId -> (string)
A unique identifier for the new mitigation action.