查询 Amazon 资源的当前配置状态 - Amazon Config
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

查询 Amazon 资源的当前配置状态

为高级查询引入了预览功能,允许您使用生成式人工智能(生成人工智能)功能以通俗易懂的英语输入提示并将其转换为 ready-to-use 查询格式。有关更多信息,请参阅适用于高级查询的自然语言查询处理器

您可以使用 Amazon Config 根据单个账户和区域的配置属性或跨多个账户和区域查询 Amazon 资源的当前配置状态。您可以对支持的资源列表中的当前 Amazon 资源状态元数据执行基于属性的查询。 Amazon Config 有关支持的资源类型列表的更多信息,请参阅支持的高级查询资源类型

高级查询提供单一查询端点和一种查询语言,无需执行特定于服务的描述 API 调用即可获取当前资源状态元数据。您可以使用配置聚合器从一个中央账户跨多个账户和 Amazon 地区运行相同的查询。

功能

Amazon Config 使用结构化查询语言 (SQL) SELECT 语法的子集对当前配置项 (CI) 数据执行基于属性的查询和聚合。查询的复杂程度各不相同,从与标签和/或资源标识符的匹配到更复杂的查询,例如查看所有禁用版本控制的 Amazon S3 存储桶。这样,您就可以精确地查询您所需的当前资源状态,而无需执行特定于 Amazon 服务的 API 调用。

它支持聚合函数,例如 AVGCOUNTMAXMINSUM

您可以使用高级查询来实现:

  • 清单管理;例如,检索特定大小的 Amazon EC2 实例的列表。

  • 安全和运营智能;例如,检索已启用或禁用特定配置属性的资源的列表。

  • 成本优化;例如,确定未附加到任何 EC2 实例的 Amazon EBS 卷的列表。

  • 合规性数据;例如,检索所有合规包及其合规性状态的列表。

有关如何使用 Amazon SQL 查询语言的信息,请参阅什么是 SQL(结构化查询语言)?

查询组件

SQL SELECT 查询组件如下所示。

摘要

SELECT property [, ...] [ WHERE condition ] [ GROUP BY property ] [ ORDER BY property [ ASC | DESC ] [, property [ ASC | DESC ] ...] ]

参数

[ WHERE condition ]

根据您指定的 condition 筛选结果。

[ GROUP BY property ]

将结果集聚合到包含与给定的属性匹配的值的行组中。

GROUP BY 子句适用于聚合。

[ ORDER BY property [ ASC | DESC ] [, property [ ASC | DESC ] ...]]

按一个或多个输出 properties 对结果集进行排序。

当该子句包含多个属性时,结果集将根据第一个 property 进行排序,然后针对包含与第一个属性匹配的值的行根据第二个 property 进行排序,以此类推。

示例

SELECT resourceId WHERE resourceType='AWS::EC2::Instance'
SELECT configuration.complianceType, COUNT(*) WHERE resourceType = 'AWS::Config::ResourceCompliance' GROUP BY configuration.complianceType

示例查询

Query to list all EC2 instances with AMI ID ami-12345

查询:

SELECT resourceId, resourceType, configuration.instanceType, configuration.placement.tenancy, configuration.imageId, availabilityZone WHERE resourceType = 'AWS::EC2::Instance' AND configuration.imageId = 'ami-12345'

结果:

{ "QueryInfo": { "SelectFields": [ { "Name": "resourceId" }, { "Name": "resourceType" }, { "Name": "configuration.instanceType" }, { "Name": "configuration.placement.tenancy" }, { "Name": "configuration.imageId" }, { "Name": "availabilityZone" } ] }, "Results": [ "{\"resourceId\":\"resourceid\",\"configuration\":{\"imageId\":\"ami-12345\",\"instanceType\":\"t2.micro\",\"placement\":{\"tenancy\":\"default\"}},\"availabilityZone\":\"us-west-2c\",\"resourceType\":\"AWS::EC2::Instance\"}", "{\"resourceId\":\"resourceid\",\"configuration\":{\"imageId\":\"ami-12345\",\"instanceType\":\"t2.micro\",\"placement\":{\"tenancy\":\"default\"}},\"availabilityZone\":\"us-west-2a\",\"resourceType\":\"AWS::EC2::Instance\"}", "{\"resourceId\":\"resourceid\",\"configuration\":{\"imageId\":\"ami-12345\",\"instanceType\":\"t2.micro\",\"placement\":{\"tenancy\":\"default\"}},\"availabilityZone\":\"us-west-2c\",\"resourceType\":\"AWS::EC2::Instance\"}", "{\"resourceId\":\"resourceid\",\"configuration\":{\"imageId\":\"ami-12345\",\"instanceType\":\"t1.micro\",\"placement\":{\"tenancy\":\"default\"}},\"availabilityZone\":\"us-west-2a\",\"resourceType\":\"AWS::EC2::Instance\"}", "{\"resourceId\":\"resourceid\",\"configuration\":{\"imageId\":\"ami-12345\",\"instanceType\":\"t2.micro\",\"placement\":{\"tenancy\":\"default\"}},\"availabilityZone\":\"us-west-2c\",\"resourceType\":\"AWS::EC2::Instance\"}", "{\"resourceId\":\"resourceid\",\"configuration\":{\"imageId\":\"ami-12345\",\"instanceType\":\"t2.micro\",\"placement\":{\"tenancy\":\"default\"}},\"availabilityZone\":\"us-west-2c\",\"resourceType\":\"AWS::EC2::Instance\"}", "{\"resourceId\":\"resourceid\",\"configuration\":{\"imageId\":\"ami-12345\",\"instanceType\":\"t2.micro\",\"placement\":{\"tenancy\":\"default\"}},\"availabilityZone\":\"us-west-2c\",\"resourceType\":\"AWS::EC2::Instance\"}" ] }
Query for count of resources grouped by their Amazon Config rules compliance status

查询:

SELECT configuration.complianceType, COUNT(*) WHERE resourceType = 'AWS::Config::ResourceCompliance' GROUP BY configuration.complianceType

结果:

{ "QueryInfo": { "SelectFields": [ { "Name": "configuration.complianceType" }, { "Name": "COUNT(*)" } ] }, "Results": [ "{\"COUNT(*)\":163,\"configuration\":{\"complianceType\":\"NON_COMPLIANT\"}}", "{\"COUNT(*)\":2,\"configuration\":{\"complianceType\":\"COMPLIANT\"}}" ] }
Query for the compliance status of Amazon Conformance packs

查询:

SELECT resourceId, resourceName, resourceType, configuration.complianceType WHERE resourceType = 'AWS::Config::ConformancePackCompliance'

结果:

{ "QueryInfo": { "SelectFields": [ { "Name": "resourceId" }, { "Name": "resourceName" }, { "Name": "resourceType" }, { "Name": "configuration.complianceType" } ] }, "Results": [ "{\"resourceId\":\"conformance-pack-conformance-pack-ID\",\"configuration\":{\"complianceType\":\"COMPLIANT\"},\"resourceName\":\"MyConformancePack1\",\"resourceType\":\"AWS::Config::ConformancePackCompliance\"}", "{\"resourceId\":\"conformance-pack-conformance-pack-ID\",\"configuration\":{\"complianceType\":\"NON_COMPLIANT\"},\"resourceName\":\"MyConformancePack2\",\"resourceType\":\"AWS::Config::ConformancePackCompliance\"}", "{\"resourceId\":\"conformance-pack-conformance-pack-ID\",\"configuration\":{\"complianceType\":\"NON_COMPLIANT\"},\"resourceName\":\"MyConformancePack3\",\"resourceType\":\"AWS::Config::ConformancePackCompliance\"}" ] }
Query to get counts of Amazon resources grouped by account ID

查询:

aws configservice select-aggregate-resource-config --expression "SELECT COUNT(*), accountId group by accountId" --configuration-aggregator-name my-aggregator

结果:

{ "Results": [ "{\"COUNT(*)\":2407,\"accountId\":\"accountId\"}", "{\"COUNT(*)\":726,\"accountId\":\"accountId\"}" ], "QueryInfo": { "SelectFields": [ { "Name": "COUNT(*)" }, { "Name": "accountId" } ] } }
Query to list all EC2 volumes that are not in use

查询:

SELECT resourceId, accountId, awsRegion, resourceType, configuration.volumeType, configuration.size, resourceCreationTime, tags, configuration.encrypted, configuration.availabilityZone, configuration.state.value WHERE resourceType = 'AWS::EC2::Volume' AND configuration.state.value = 'available'

结果:

{ "Results": [ "{\"accountId\":\"accountId\",\"resourceId\":\"vol-0174de9c962f6581c\",\"awsRegion\":\"us-west-2\",\"configuration\":{\"volumeType\":\"gp2\",\"encrypted\":false,\"size\":100.0,\"state\":{\"value\":\"available\"},\"availabilityZone\":\"us-west-2a\"},\"resourceCreationTime\":\"2020-02-21T07:39:43.771Z\",\"tags\":[],\"resourceType\":\"AWS::EC2::Volume\"}", "{\"accountId\":\"accountId\",\"resourceId\":\"vol-0cbeb652a74af2f8f\",\"awsRegion\":\"us-east-1\",\"configuration\":{\"volumeType\":\"gp2\",\"encrypted\":false,\"size\":100.0,\"state\":{\"value\":\"available\"},\"availabilityZone\":\"us-east-1a\"},\"resourceCreationTime\":\"2020-02-21T07:28:40.639Z\",\"tags\":[],\"resourceType\":\"AWS::EC2::Volume\"}" "{\"accountId\":\"accountId\",\"resourceId\":\"vol-0a49952d528ec8ba2\",\"awsRegion\":\"ap-south-1\",\"configuration\":{\"volumeType\":\"gp2\",\"encrypted\":false,\"size\":100.0,\"state\":{\"value\":\"available\"},\"availabilityZone\":\"ap-south-1a\"},\"resourceCreationTime\":\"2020-02-21T07:39:31.800Z\",\"tags\":[],\"resourceType\":\"AWS::EC2::Volume\"}", ], "QueryInfo": { "SelectFields": [ { "Name": "resourceId" }, { "Name": "accountId" }, { "Name": "awsRegion" }, { "Name": "resourceType" }, { "Name": "configuration.volumeType" }, { "Name": "configuration.size" }, { "Name": "resourceCreationTime" }, { "Name": "tags" }, { "Name": "configuration.encrypted" }, { "Name": "configuration.availabilityZone" }, { "Name": "configuration.state.value" } ] } }

关系查询示例

Find EIPs related to an EC2 instance
SELECT resourceId WHERE resourceType = 'AWS::EC2::EIP' AND relationships.resourceId = 'i-abcd1234'
Find EIPs related to an EC2 network interface
SELECT resourceId WHERE resourceType = 'AWS::EC2::EIP' AND relationships.resourceId = 'eni-abcd1234'
Find EC2 instances and network interfaces related to a security group
SELECT resourceId WHERE resourceType IN ('AWS::EC2::Instance', 'AWS::EC2::NetworkInterface') AND relationships.resourceId = 'sg-abcd1234'

SELECT resourceId WHERE resourceType = 'AWS::EC2::Instance' AND relationships.resourceId = 'sg-abcd1234' SELECT resourceId WHERE resourceType = 'AWS::EC2::NetworkInterface' AND relationships.resourceId = 'sg-abcd1234'
Find EC2 instances, network ACLs, network interfaces and route tables related to a subnet
SELECT resourceId WHERE resourceType IN ('AWS::EC2::Instance', 'AWS::EC2::NetworkACL', 'AWS::EC2::NetworkInterface', 'AWS::EC2::RouteTable') AND relationships.resourceId = 'subnet-abcd1234'
Find EC2 instances, internet gateways, network ACLs, network interfaces, route tables, subnets and security groups related to a VPC
SELECT resourceId WHERE resourceType IN ('AWS::EC2::Instance', 'AWS::EC2::InternetGateway', 'AWS::EC2::NetworkACL', 'AWS::EC2::NetworkInterface', 'AWS::EC2::RouteTable', 'AWS::EC2::Subnet', 'AWS::EC2::SecurityGroup') AND relationships.resourceId = 'vpc-abcd1234'
Find EC2 route tables related to a VPN gateway
SELECT resourceId WHERE resourceType = 'AWS::EC2::RouteTable' AND relationships.resourceId = 'vgw-abcd1234'

限制

注意

高级查询不支持查询尚未配置为由配置记录器记录的资源。 Amazon Config 当发现资源但未配置为由配置记录器记录configurationItemStatus时,将在ResourceNotRecorded中创建配置项目 (CI)。虽然聚合器会聚合这些 CI,但高级查询不支持查询具有 ResourceNotRecorded 的 CI。更新您的记录器设置以启用记录要查询的资源类型。

作为 SQL SELECT 的一个子集,查询语法有以下限制:

  • 查询中不支持 ALLASDISTINCTFROMHAVINGJOINUNION 关键字。不支持 NULL 值查询。

  • 不支持查询第三方资源。使用高级查询检索的第三方资源的配置字段将设置为 NULL

  • 不支持使用 SQL 查询解包嵌套结构(例如标签)。

  • CIDR 表示法将转换为 IP 范围以供搜索。这意味着,"=""BETWEEN" 会搜索任何包含所提供的 IP 的范围,而不是精确的范围。要搜索精确的 IP 范围,您需要添加其他条件以排除该范围之外的 IP。例如,要搜索 10.0.0.0/24 且仅搜索该 IP 块,可执行以下操作:

    SELECT * WHERE resourceType = 'AWS::EC2::SecurityGroup' AND configuration.ipPermissions.ipRanges BETWEEN '10.0.0.0' AND '10.0.0.255' AND NOT configuration.ipPermissions.ipRanges < '10.0.0.0' AND NOT configuration.ipPermissions.ipRanges > '10.0.0.255'

    对于 192.168.0.2/32,可以用类似的方式进行搜索:

    SELECT * WHERE resourceType = 'AWS::EC2::SecurityGroup' AND configuration.ipPermissions.ipRanges = '192.168.0.2' AND NOT configuration.ipPermissions.ipRanges > '192.168.0.2' AND NOT configuration.ipPermissions.ipRanges < '192.168.0.2'
  • 当针对对象数组内的多个属性执行查询时,将针对所有数组元素计算匹配项。例如,对于具有规则 A 和 B 的资源 R,该资源符合规则 A 但不符合规则 B。资源 R 存储为:

    { configRuleList: [ { configRuleName: 'A', complianceType: 'compliant' }, { configRuleName: 'B', complianceType: 'non_compliant' } ] }

    此查询将返回 R:

    SELECT configuration WHERE configuration.configRuleList.complianceType = 'non_compliant' AND configuration.configRuleList.configRuleName = 'A'

    第一个条件适用configuration.configRuleList.complianceType = 'non_compliant'于 r.config 中的所有元素RuleList,因为 R 有一条 complianceType = 'non_complitive' 的规则(规则 B),因此该条件被评估为真。第二个条件适用configuration.configRuleList.configRuleName于 r.config 中的所有元素RuleList,因为 R 的规则(规则 A)为 configRuleName = 'A',因此该条件被评估为真。由于两个条件均为 True,因此将返回 R。

  • 针对所有列的 SELECT 简写形式(也就是 SELECT *)将仅选择 CI 的顶级标量属性。返回的标量属性为 accountIdawsRegionarnavailabilityZoneconfigurationItemCaptureTimeresourceCreationTimeresourceIdresourceNameresourceTypeversion

  • 通配符限制:

    • 通配符仅支持属性值,但不支持属性键(例如支持 ...WHERE someKey LIKE 'someValue%',但不支持 ...WHERE 'someKey%' LIKE 'someValue%')。

    • 仅支持后缀通配符(例如,支持 ...LIKE 'AWS::EC2::%'...LIKE 'AWS::EC2::_',但不支持 ...LIKE '%::EC2::Instance'...LIKE '_::EC2::Instance')。

    • 通配符匹配项的长度必须至少为 3 个字符(例如,不允许 ...LIKE 'ab%'...LIKE 'ab_',但允许 ...LIKE 'abc%'...LIKE 'abc_')。

    注意

    _”(单下划线)也被视为通配符。

  • 聚合限制:

    • 聚合函数仅可接受一个参数或属性。

    • 聚合函数无法采用其他函数作为参数。

    • 带有引用聚合函数的 ORDER BY 子句的 GROUP BY 只能包含一个属性。

    • 对于所有其他聚合,GROUP BY 子句最多可以包含三个属性。

    • ORDER BY 子句具有聚合函数外,所有聚合查询都支持分页。例如,如果 Y 是聚合函数,则 GROUP BY X, ORDER BY Y 不起作用。

    • 不支持聚合中的 HAVING 子句。

  • 不匹配的标识符限制:

    不匹配的标识符是拼写相同但大小写不同(大写和小写)的属性。高级查询不支持处理包含不匹配标识符的查询。例如:

    • 两个拼写完全相同但大小写不同的属性(configuration.dbclusterIdentifierconfiguration.dBClusterIdentifier)。

    • 两个属性,其中一个属性是另一个属性的子集,并且它们的大小写不同(configuration.ipAddressconfiguration.ipaddressPermissions)。

区域支持

以下区域支持高级查询:

区域名称 区域 端点 协议
美国东部(俄亥俄州) us-east-2 config.us-east-2.amazonaws.com HTTPS
美国东部(弗吉尼亚州北部) us-east-1 config.us-east-1.amazonaws.com HTTPS
美国西部(北加利福尼亚) us-west-1 config.us-west-1.amazonaws.com HTTPS
美国西部(俄勒冈州) us-west-2 config.us-west-2.amazonaws.com HTTPS
非洲(开普敦) af-south-1 config.af-south-1.amazonaws.com HTTPS
亚太地区(香港) ap-east-1 config.ap-east-1.amazonaws.com HTTPS
亚太地区(海得拉巴) ap-south-2 config.ap-south-2.amazonaws.com HTTPS
亚太地区(雅加达) ap-southeast-3 config.ap-southeast-3.amazonaws.com HTTPS
亚太地区(墨尔本) ap-southeast-4 config.ap-southeast-4.amazonaws.com HTTPS
亚太地区(孟买) ap-south-1 config.ap-south-1.amazonaws.com HTTPS
亚太地区(大阪) ap-northeast-3 config.ap-northeast-3.amazonaws.com HTTPS
亚太地区(首尔) ap-northeast-2 config.ap-northeast-2.amazonaws.com HTTPS
亚太地区(新加坡) ap-southeast-1 config.ap-southeast-1.amazonaws.com HTTPS
亚太地区(悉尼) ap-southeast-2 config.ap-southeast-2.amazonaws.com HTTPS
亚太地区(东京) ap-northeast-1 config.ap-northeast-1.amazonaws.com HTTPS
加拿大(中部) ca-central-1 config.ca-central-1.amazonaws.com HTTPS
加拿大西部(卡尔加里) ca-west-1 config.ca-west-1.amazonaws.com HTTPS
中国(北京) cn-north-1 config.cn-north-1.amazonaws.com.cn HTTPS
中国(宁夏) cn-northwest-1 config.cn-northwest-1.amazonaws.com.cn HTTPS
欧洲地区(法兰克福) eu-central-1 config.eu-central-1.amazonaws.com HTTPS
欧洲地区(爱尔兰) eu-west-1 config.eu-west-1.amazonaws.com HTTPS
欧洲地区(伦敦) eu-west-2 config.eu-west-2.amazonaws.com HTTPS
欧洲地区(米兰) eu-south-1 config.eu-south-1.amazonaws.com HTTPS
欧洲地区(巴黎) eu-west-3 config.eu-west-3.amazonaws.com HTTPS
欧洲(西班牙) eu-south-2 config.eu-south-2.amazonaws.com HTTPS
欧洲地区(斯德哥尔摩) eu-north-1 config.eu-north-1.amazonaws.com HTTPS
欧洲(苏黎世) eu-central-2 config.eu-central-2.amazonaws.com HTTPS
以色列(特拉维夫) il-central-1 config.il-central-1.amazonaws.com HTTPS
中东(巴林) me-south-1 config.me-south-1.amazonaws.com HTTPS
中东(阿联酋) me-central-1 config.me-central-1.amazonaws.com HTTPS
南美洲(圣保罗) sa-east-1 config.sa-east-1.amazonaws.com HTTPS