AWS CLI Command Reference

[ aws . application-signals ]

list-audit-findings

Description

Retrieves a list of audit findings for Application Signals resources. Audit findings identify potential issues, misconfigurations, or compliance violations in your observability setup.

You can filter findings by time range, auditor type, and target resources to focus on specific areas of concern. This operation supports pagination for large result sets.

See also: AWS API Documentation

Synopsis

  list-audit-findings
--start-time <value>
--end-time <value>
[--auditors <value>]
--audit-targets <value>
[--next-token <value>]
[--max-results <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--start-time (timestamp) [required]

The start time for the audit findings query. Only findings created on or after this time will be included in the results. Specify the time as the number of milliseconds since January 1, 1970, 00:00:00 UTC.

--end-time (timestamp) [required]

The end time for the audit findings query. Only findings created before this time will be included in the results. Specify the time as the number of milliseconds since January 1, 1970, 00:00:00 UTC.

--auditors (list)

An array of auditor names to filter the findings. Only findings generated by the specified auditors will be returned. When not specified, findings from all auditors are included except canary.

(string)

Syntax:

"string" "string" ...

--audit-targets (list) [required]

An array of audit target specifications to filter the findings. Only findings related to the specified targets (such as specific services, SLOs, operations or canary) will be returned.

Constraints:

  • min: 1
  • max: 10

(structure)

Specifies a target resource for auditing, such as a service, SLO, or operation.

Type -> (string) [required]

The type of resource being targeted for audit, such as “Service”, “SLO”, “ServiceOperation”, or “Canary”.

Data -> (tagged union structure) [required]

The specific data or entity information for the audit target, containing details needed to identify and examine the resource.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: Service, Slo, ServiceOperation, Canary.

Service -> (structure)

Service entity information when the audit target is a service.

Type -> (string)

The type of service, such as “WebService”, “Database”, “Queue”, or “Function”.

Name -> (string)

The name of the service as identified by Application Signals.

Environment -> (string)

The environment where the service is deployed, such as “Production”, “Staging”, or “Development”.

AwsAccountId -> (string)

The AWS account ID where the service is deployed.

Slo -> (structure)

Service Level Objective entity information when the audit target is an SLO.

SloName -> (string)

The name of the Service Level Objective.

SloArn -> (string)

The Amazon Resource Name (ARN) of the Service Level Objective.

ServiceOperation -> (structure)

Service operation entity information when the audit target is a specific operation within a service.

Service -> (structure)

The service entity that contains this operation.

Type -> (string)

The type of service, such as “WebService”, “Database”, “Queue”, or “Function”.

Name -> (string)

The name of the service as identified by Application Signals.

Environment -> (string)

The environment where the service is deployed, such as “Production”, “Staging”, or “Development”.

AwsAccountId -> (string)

The AWS account ID where the service is deployed.

Operation -> (string)

The name of the specific operation within the service.

MetricType -> (string)

The type of metric associated with this service operation, such as “Latency”, “ErrorRate”, or “Throughput”.

Canary -> (structure)

Canary entity information when the audit target is a CloudWatch Synthetics canary.

CanaryName -> (string) [required]

The name of the CloudWatch Synthetics canary.

JSON Syntax:

[
  {
    "Type": "string",
    "Data": {
      "Service": {
        "Type": "string",
        "Name": "string",
        "Environment": "string",
        "AwsAccountId": "string"
      },
      "Slo": {
        "SloName": "string",
        "SloArn": "string"
      },
      "ServiceOperation": {
        "Service": {
          "Type": "string",
          "Name": "string",
          "Environment": "string",
          "AwsAccountId": "string"
        },
        "Operation": "string",
        "MetricType": "string"
      },
      "Canary": {
        "CanaryName": "string"
      }
    }
  }
  ...
]

--next-token (string)

The token for the next set of results. Use this token to retrieve additional pages of audit findings when the result set is large.

--max-results (integer)

The maximum number of audit findings to return in a single request. Valid range is 1 to 100. If not specified, defaults to 50.

Constraints:

  • min: 1
  • max: 10

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Output

AuditFindings -> (list)

An array of audit findings that match the specified criteria. Each finding includes details about the issue, affected resources, and auditor results.

Constraints:

  • min: 0
  • max: 10

(structure)

Represents an audit finding that identifies a potential issue, misconfiguration, or compliance violation in Application Signals resources.

KeyAttributes -> (map) [required]

A map of key attributes that identify the resource associated with this audit finding. These attributes help locate and understand the context of the finding.

Constraints:

  • min: 1
  • max: 4

key -> (string)

Constraints:

  • pattern: [a-zA-Z]{1,50}

value -> (string)

Constraints:

  • min: 1
  • max: 1024
  • pattern: [ -~]*[!-~]+[ -~]*

AuditorResults -> (list)

An array of results from different auditors that examined the resource. Each result includes the auditor name, description, and severity level.

Constraints:

  • min: 0
  • max: 5

(structure)

Represents the result of an audit performed by a specific auditor on a resource.

Auditor -> (string)

The name or identifier of the auditor that performed the examination and generated this result.

Description -> (string)

A detailed description of what the auditor found, including any recommendations for remediation or further investigation.

Constraints:

  • min: 0
  • max: 10240

Severity -> (string)

The severity level of the finding, such as “Critical”, “High”, “Medium”, or “Low”. This helps prioritize remediation efforts.

Possible values:

  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
  • NONE

Operation -> (string)

The operation or action that was being audited when this finding was discovered. This provides context about what was being examined.

MetricGraph -> (structure)

A metric graph associated with the audit finding, showing relevant performance data that may be related to the identified issue.

MetricDataQueries -> (list)

An array of metric data queries that define what metrics to display in the graph. Each query specifies the metric source, aggregation, and time range.

(structure)

Use this structure to define a metric or metric math expression that you want to use as for a service level objective.

Each MetricDataQuery in the MetricDataQueries array specifies either a metric to retrieve, or a metric math expression to be performed on retrieved metrics. A single MetricDataQueries array can include as many as 20 MetricDataQuery structures in the array. The 20 structures can include as many as 10 structures that contain a MetricStat parameter to retrieve a metric, and as many as 10 structures that contain the Expression parameter to perform a math expression. Of those Expression structures, exactly one must have true as the value for ReturnData . The result of this expression used for the SLO.

For more information about metric math expressions, see CloudWatchUse metric math .

Within each MetricDataQuery object, you must specify either Expression or MetricStat but not both.

Id -> (string) [required]

A short name used to tie this object to the results in the response. This Id must be unique within a MetricDataQueries array. If you are performing math expressions on this set of data, this name represents that data and can serve as a variable in the metric math expression. The valid characters are letters, numbers, and underscore. The first character must be a lowercase letter.

Constraints:

  • min: 1
  • max: 255

MetricStat -> (structure)

A metric to be used directly for the SLO, or to be used in the math expression that will be used for the SLO.

Within one MetricDataQuery object, you must specify either Expression or MetricStat but not both.

Metric -> (structure) [required]

The metric to use as the service level indicator, including the metric name, namespace, and dimensions.

Namespace -> (string)

The namespace of the metric. For more information, see Namespaces .

Constraints:

  • min: 1
  • max: 255
  • pattern: .*[^:].*

MetricName -> (string)

The name of the metric to use.

Constraints:

  • min: 1
  • max: 255

Dimensions -> (list)

An array of one or more dimensions to use to define the metric that you want to use. For more information, see Dimensions .

Constraints:

  • min: 0
  • max: 30

(structure)

A dimension is a name/value pair that is part of the identity of a metric. Because dimensions are part of the unique identifier for a metric, whenever you add a unique name/value pair to one of your metrics, you are creating a new variation of that metric. For example, many Amazon EC2 metrics publish InstanceId as a dimension name, and the actual instance ID as the value for that dimension.

You can assign up to 30 dimensions to a metric.

Name -> (string) [required]

The name of the dimension. Dimension names must contain only ASCII characters, must include at least one non-whitespace character, and cannot start with a colon (: ). ASCII control characters are not supported as part of dimension names.

Constraints:

  • min: 1
  • max: 255

Value -> (string) [required]

The value of the dimension. Dimension values must contain only ASCII characters and must include at least one non-whitespace character. ASCII control characters are not supported as part of dimension values.

Constraints:

  • min: 1
  • max: 1024

Period -> (integer) [required]

The granularity, in seconds, to be used for the metric. For metrics with regular resolution, a period can be as short as one minute (60 seconds) and must be a multiple of 60. For high-resolution metrics that are collected at intervals of less than one minute, the period can be 1, 5, 10, 30, 60, or any multiple of 60. High-resolution metrics are those metrics stored by a PutMetricData call that includes a StorageResolution of 1 second.

Constraints:

  • min: 1

Stat -> (string) [required]

The statistic to use for comparison to the threshold. It can be any CloudWatch statistic or extended statistic. For more information about statistics, see CloudWatch statistics definitions .

Unit -> (string)

If you omit Unit then all data that was collected with any unit is returned, along with the corresponding units that were specified when the data was reported to CloudWatch. If you specify a unit, the operation returns only data that was collected with that unit specified. If you specify a unit that does not match the data collected, the results of the operation are null. CloudWatch does not perform unit conversions.

Possible values:

  • Microseconds
  • Milliseconds
  • Seconds
  • Bytes
  • Kilobytes
  • Megabytes
  • Gigabytes
  • Terabytes
  • Bits
  • Kilobits
  • Megabits
  • Gigabits
  • Terabits
  • Percent
  • Count
  • Bytes/Second
  • Kilobytes/Second
  • Megabytes/Second
  • Gigabytes/Second
  • Terabytes/Second
  • Bits/Second
  • Kilobits/Second
  • Megabits/Second
  • Gigabits/Second
  • Terabits/Second
  • Count/Second
  • None

Expression -> (string)

This field can contain a metric math expression to be performed on the other metrics that you are retrieving within this MetricDataQueries structure.

A math expression can use the Id of the other metrics or queries to refer to those metrics, and can also use the Id of other expressions to use the result of those expressions. For more information about metric math expressions, see Metric Math Syntax and Functions in the Amazon CloudWatch User Guide .

Within each MetricDataQuery object, you must specify either Expression or MetricStat but not both.

Constraints:

  • min: 1
  • max: 2048

Label -> (string)

A human-readable label for this metric or expression. This is especially useful if this is an expression, so that you know what the value represents. If the metric or expression is shown in a CloudWatch dashboard widget, the label is shown. If Label is omitted, CloudWatch generates a default.

You can put dynamic expressions into a label, so that it is more descriptive. For more information, see Using Dynamic Labels .

ReturnData -> (boolean)

Use this only if you are using a metric math expression for the SLO. Specify true for ReturnData for only the one expression result to use as the alarm. For all other metrics and expressions in the same CreateServiceLevelObjective operation, specify ReturnData as false .

Period -> (integer)

The granularity, in seconds, of the returned data points for this metric. For metrics with regular resolution, a period can be as short as one minute (60 seconds) and must be a multiple of 60. For high-resolution metrics that are collected at intervals of less than one minute, the period can be 1, 5, 10, 30, 60, or any multiple of 60. High-resolution metrics are those metrics stored by a PutMetricData call that includes a StorageResolution of 1 second.

If the StartTime parameter specifies a time stamp that is greater than 3 hours ago, you must specify the period as follows or no data points in that time range is returned:

  • Start time between 3 hours and 15 days ago - Use a multiple of 60 seconds (1 minute).
  • Start time between 15 and 63 days ago - Use a multiple of 300 seconds (5 minutes).
  • Start time greater than 63 days ago - Use a multiple of 3600 seconds (1 hour).

Constraints:

  • min: 1

AccountId -> (string)

The ID of the account where this metric is located. If you are performing this operation in a monitoring account, use this to specify which source account to retrieve this metric from.

Constraints:

  • min: 1
  • max: 255

StartTime -> (timestamp)

The start time for the metric data displayed in the graph, expressed as the number of milliseconds since January 1, 1970, 00:00:00 UTC.

EndTime -> (timestamp)

The end time for the metric data displayed in the graph, expressed as the number of milliseconds since January 1, 1970, 00:00:00 UTC.

DependencyGraph -> (structure)

A dependency graph showing the relationships between services that may be affected by or related to the audit finding.

Nodes -> (list)

An array of nodes in the dependency graph, where each node represents a service or component.

Constraints:

  • min: 0
  • max: 4

(structure)

Represents a node in a dependency graph, typically corresponding to a service or component in your application architecture.

KeyAttributes -> (map) [required]

A map of key attributes that identify and describe the node, such as service name, environment, and other metadata.

Constraints:

  • min: 1
  • max: 4

key -> (string)

Constraints:

  • pattern: [a-zA-Z]{1,50}

value -> (string)

Constraints:

  • min: 1
  • max: 1024
  • pattern: [ -~]*[!-~]+[ -~]*

Name -> (string) [required]

The display name of the node, typically the service or component name.

NodeId -> (string) [required]

A unique identifier for the node within the dependency graph.

Operation -> (string)

The specific operation or endpoint within the service that this node represents, if applicable.

Type -> (string)

The type of node, such as “Service”, “Database”, “Queue”, or “External”.

Duration -> (double)

The typical response time or processing duration for this node, measured in milliseconds.

Status -> (string)

The current health status of the node, such as “Healthy”, “Warning”, or “Critical”.

Edges -> (list)

An array of edges in the dependency graph, where each edge represents a connection or dependency between two nodes.

(structure)

Represents a connection between two nodes in a dependency graph, showing how services or components interact with each other.

SourceNodeId -> (string)

The identifier of the source node in the dependency relationship.

DestinationNodeId -> (string)

The identifier of the destination node in the dependency relationship.

Duration -> (double)

The typical duration or latency of interactions along this edge, measured in milliseconds.

ConnectionType -> (string)

The type of connection between the nodes, such as “HTTP”, “Database”, “Queue”, or “Internal”.

Possible values:

  • INDIRECT
  • DIRECT

Type -> (string)

The type or category of the audit finding, such as “Performance”, “Security”, or “Configuration”.

NextToken -> (string)

The token to use for retrieving the next page of results. This value is present only if there are more results available than were returned in the current response.
© Copyright 2025, Amazon Web Services. Created using Sphinx.