Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
查看 Amazon Config 规则的详细信息和合规性信息
要准确报告合规性状态,必须记录 AWS::Config::ResourceCompliance 资源类型。有关更多信息,请参阅录制 Amazon 资源。
您可以使用 Amazon Config 控制台或 Amazon SDKs 来查看您的规则。
查看规则(控制台)
规则页面在一个表中显示您的规则及其当前的合规性结果。每条规则的结果都是 “正在评估...” 直到根据规则 Amazon Config 完成对您的资源进行评估。您可以使用刷新按钮更新结果。 Amazon Config 完成评估后,您可以看到合规或不合规的规则和资源类型。有关更多信息,请参阅 使用查看 Amazon 资源的合规信息和评估结果 Amazon Config。
Amazon Config 仅评估其记录的资源类型。例如,如果您添加了启用 cloudtra il 的规则,但未记录 CloudTrail 跟踪资源类型,则 Amazon Config 无法评估您账户中的跟踪是合规还是不合规。有关更多信息,请参阅 使用录制 Amazon 资源 Amazon Config。
查看您的规则
登录 Amazon Web Services Management Console 并打开 Amazon Config 控制台,网址为https://console.aws.amazon.com/config/。
-
在 Amazon Web Services Management Console 菜单中,确认区域选择器设置为支持 Amazon Config 规则的区域。有关支持的区域的列表,请参阅《Amazon Web Services 一般参考》中的 Amazon Config 区域和终端节点。
-
在左侧导航窗格中,选择 Rules。
-
“规则” 页面显示您当前存在的所有规则 Amazon Web Services 账户。其中列出每条规则的名称、关联的修正操作和合规性状态。
查看规则 (Amazon SDKs)
以下代码示例演示如何使用 DescribeConfigRules。
- CLI
-
- Amazon CLI
-
获取 Amazon Config 规则的详细信息
以下命令返回名为的 Amazon Config 规则的详细信息InstanceTypesAreT2micro:
aws configservice describe-config-rules --config-rule-names InstanceTypesAreT2micro
输出:
{
"ConfigRules": [
{
"ConfigRuleState": "ACTIVE",
"Description": "Evaluates whether EC2 instances are the t2.micro type.",
"ConfigRuleName": "InstanceTypesAreT2micro",
"ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef",
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
"SourceDetails": [
{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}
]
},
"InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"ConfigRuleId": "config-rule-abcdef"
}
]
}
- PowerShell
-
- 用于 PowerShell
-
示例 1:此示例列出账户的配置规则以及选定属性。
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
输出:
ConfigRuleName ConfigRuleId ConfigRuleArn ConfigRuleState
-------------- ------------ ------------- ---------------
ALB_REDIRECTION_CHECK config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
- Python
-
- 适用于 Python 的 SDK(Boto3)
-
class ConfigWrapper:
"""
Encapsulates AWS Config functions.
"""
def __init__(self, config_client):
"""
:param config_client: A Boto3 AWS Config client.
"""
self.config_client = config_client
def describe_config_rule(self, rule_name):
"""
Gets data for the specified rule.
:param rule_name: The name of the rule to retrieve.
:return: The rule data.
"""
try:
response = self.config_client.describe_config_rules(
ConfigRuleNames=[rule_name]
)
rule = response["ConfigRules"]
logger.info("Got data for rule %s.", rule_name)
except ClientError:
logger.exception("Couldn't get data for rule %s.", rule_name)
raise
else:
return rule
以下代码示例演示如何使用 DescribeComplianceByConfigRule。
- CLI
-
- Amazon CLI
-
获取您的 Amazon Config 规则的合规性信息
以下命令返回一个或多个 Amazon 资源违反的每个 Amazon Config 规则的合规性信息:
aws configservice describe-compliance-by-config-rule --compliance-types NON_COMPLIANT
在输出中,每个 CappedCount 属性的值都表示有多少资源不符合相关规则。例如,以下输出表明 3 个资源不符合名为 InstanceTypesAreT2micro 的规则。
输出:
{
"ComplianceByConfigRules": [
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "InstanceTypesAreT2micro"
},
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 10,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "RequiredTagsForVolumes"
}
]
}
- PowerShell
-
- 用于 PowerShell
-
示例 1:此示例检索规则的合规性详细信息,该规则当前没有评估结果 ebs-optimized-instance,因此它返回 INSUFKIENT_DATA
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
输出:
ComplianceContributorCount ComplianceType
-------------------------- --------------
INSUFFICIENT_DATA
示例 2:此示例返回规则 ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK 的不合规资源数量。
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
输出:
CapExceeded CappedCount
----------- -----------
False 2
以下代码示例演示如何使用 GetComplianceSummaryByConfigRule。
- CLI
-
- Amazon CLI
-
获取您的 Amazon Config 规则的合规性摘要
以下命令返回合规和不合规的规则数量。
aws configservice get-compliance-summary-by-config-rule
在输出中,每个 CappedCount 属性的值都表示有多少规则合规或不合规。
输出:
{
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1452204131.493,
"CompliantResourceCount": {
"CappedCount": 2,
"CapExceeded": false
}
}
}
- PowerShell
-
- 用于 PowerShell
-
示例 1:此示例返回不合规的 Config 规则的数量。
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
输出:
CapExceeded CappedCount
----------- -----------
False 9
以下代码示例演示如何使用 GetComplianceDetailsByConfigRule。
- CLI
-
- Amazon CLI
-
获取 Amazon Config 规则的评估结果
以下命令返回所有不符合名为的 Amazon Config 规则的资源的评估结果InstanceTypesAreT2micro:
aws configservice get-compliance-details-by-config-rule --config-rule-name InstanceTypesAreT2micro --compliance-types NON_COMPLIANT
输出:
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.261,
"ConfigRuleInvokedTime": 1450314642.948,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-2a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.18,
"ConfigRuleInvokedTime": 1450314642.902,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-3a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314643.346,
"ConfigRuleInvokedTime": 1450314643.124,
"ComplianceType": "NON_COMPLIANT"
}
]
}
- PowerShell
-
- 用于 PowerShell
-
示例 1:此示例获取规则的评估结果 access-keys-rotated并返回按合规类型分组的输出
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
输出:
Count Name Group
----- ---- -----
2 COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
5 NON_COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
示例 2:此示例查询合规资源的规则 access-keys-rotated的合规性详细信息。
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
输出:
ConfigRuleName ResourceId ResourceType
-------------- ---------- ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User