查看配置和合规性历史记录 - Amazon Config
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

查看配置和合规性历史记录

重要

要准确报告合规性状态,必须记录 AWS::Config::ResourceCompliance 资源类型。有关更多信息,请参阅重新编码 Amazon 资源

您可以在 Amazon Config 控制台中查看配置、关系和对资源所做的更改次数。您可以使用查看资源的配置历史记录 Amazon CLI。

查看配置详细信息(控制台)

当您在资源清单页面上查找资源时,选择资源标识符列中的资源名称或 ID 可查看资源的详细信息页面。详细信息页面提供了有关该资源的配置、关系和更改次数的信息。

要从资源详细信息页面访问资源时间表,请选择资源时间表按钮。资源时间线将特定资源在一段时间内的更改捕获为 ConfigurationItems。您可以按配置事件、合规性事件或 CloudTrail事件进行筛选。

查看配置详细信息 (Amazon CLI)

Amazon Config 记录的配置项目以配置快照和配置流的形式按需传送到指定的交付渠道。您可以使用 Amazon CLI 来查看每种资源的配置项目历史记录。

查看配置历史记录

键入 get-resource-config-history 命令并指定资源类型和资源 ID,例如:

$ aws configservice get-resource-config-history --resource-type AWS::EC2::SecurityGroup --resource-id sg-6fbb3807 { "configurationItems": [ { "configurationItemCaptureTime": 1414708529.9219999, "relationships": [ { "resourceType": "AWS::EC2::Instance", "resourceId": "i-7a3b232a", "relationshipName": "Is associated with Instance" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-8b6eb2ab", "relationshipName": "Is associated with Instance" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-c478efe5", "relationshipName": "Is associated with Instance" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-e4cbe38d", "relationshipName": "Is associated with Instance" } ], "availabilityZone": "Not Applicable", "tags": {}, "resourceType": "AWS::EC2::SecurityGroup", "resourceId": "sg-6fbb3807", "configurationStateId": "1", "relatedEvents": [], "arn": "arn:aws:ec2:us-east-2:012345678912:security-group/default", "version": "1.0", "configurationItemMD5Hash": "860aa81fc3869e186b2ee00bc638a01a", "configuration": "{\"ownerId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\",\"description\":\"default group\",\"ipPermissions\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"userIdGroupPairs\":[{\"userId\":\"amazon-elb\",\"groupName\":\"amazon-elb-sg\",\"groupId\":\"sg-843f59ed\"}],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"udp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"icmp\",\"fromPort\":-1,\"toPort\":-1,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"tcp\",\"fromPort\":1433,\"toPort\":1433,\"userIdGroupPairs\":[],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":3389,\"toPort\":3389,\"userIdGroupPairs\":[],\"ipRanges\":[\"207.171.160.0/19\"]}],\"ipPermissionsEgress\":[],\"vpcId\":null,\"tags\":[]}", "configurationItemStatus": "ResourceDiscovered", "accountId": "605053316265" } ], "nextToken": ..........

有关响应字段的详细解释,请参阅 Components of a Configuration Item支持的资源类型

来自 Amazon Config的 Amazon EBS 配置历史记录示例

Amazon Config 生成一组文件,每个文件代表一种资源类型,并列出 Amazon Config 正在记录的该类型资源的所有配置更改。 Amazon Config 将此以资源为中心的配置历史记录作为对象导出到您在启用时指定的 Amazon S3 存储桶中。 Amazon Config每个资源类型的配置历史记录文件中包含自上一个历史记录文件传送完毕后检测到的该类型资源出现的更改。历史记录文件通常每六小时传送一次。

以下是 Amazon S3 对象内容的示例,其中描述了您的 Amazon 账户的当前区域中所有 Amazon Elastic Block Store 卷的配置历史记录。此账户中的卷包括 vol-ce676cccvol-cia007c。卷 vol-ce676ccc 自上一个历史记录文件传送完毕后有两项配置更改,而卷 vol-cia007c 只有一项更改。

{ "fileVersion": "1.0", "requestId": "asudf8ow-4e34-4f32-afeb-0ace5bf3trye", "configurationItems": [ { "snapshotVersion": "1.0", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T23:47:08.918Z", "configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-adb69edbb1e4", "c376e30d-71a2-4694-89b7-a5a04ad92281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T21:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T21:43:53.0885+0000", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume1" } ], "volumeType": "standard" } }, { "configurationItemVersion": "1.0", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T21:47:08.918Z", "configurationItemState": "3e660fdf-4e34-4f32-sseb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-ad229edbb1e4", "c376e30d-71a2-4694-89b7-a5a04w292281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T21:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T21:43:53.0885+0000", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume1" } ], "volumeType": "standard" } }, { "configurationItemVersion": "1.0", "resourceId": "vol-cia007c", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-cia007c", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T20:47:08.918Z", "configurationItemState": "3e660fdf-4e34-4f88-sseb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-adjhk8edbb1e4", "c376e30d-71a2-4694-89b7-a5a67u292281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T20:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344e563d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-cia007c", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T20:43:53.0885+0000", "attachments": [ { "volumeId": "vol-cia007c", "instanceId": "i-344e563d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume2" } ], "volumeType": "standard" } } ] }

查看资源的合规性历史记录时间线

Amazon Config 支持存储由评估的资源的合规性状态更改 Amazon Config 规则。资源合规性历史记录以时间线的形式显示。时间线将特定资源在一段时间内的更改捕获为 ConfigurationItems。有关内容的信息ConfigurationItem,请参阅 Amazon Config API 参考ConfigurationItem中的。

您可以选择加入或选择退出记录 Amazon Config中的所有资源类型。如果您选择记录所有资源类型,则 Amazon Config 会自动开始记录由评估的资源合规性历史记录 Amazon Config 规则。默认情况下, Amazon Config 记录所有受支持资源的配置更改。您也可以仅选择特定的资源合规性历史记录资源类型:AWS::Config::ResourceCompliance。有关更多信息,请参阅选择 Amazon Config 记录哪些资源

使用资源查看资源时间线

通过从资源清单页面中选择特定资源来访问资源时间线。

  1. 从左侧导航中选择资源

  2. 在“资源”清单页面上,您可以按资源类别、资源类型和合规性状态进行筛选。根据需要选择包括已删除的资源

    该表显示了资源类型的资源标识符和该资源的资源合规性状态。资源标识符可以是资源 ID,也可以是资源名称。

  3. 从资源标识符列中选择资源。

  4. 选择资源时间表按钮。您可以按配置事件、合规性事件或 CloudTrail 事件进行筛选。

    注意

    或者,在“资源”清单页面上,您可以直接选择资源名称。要从资源详细信息页面访问资源时间表,请选择资源时间表按钮。

使用规则查看资源时间线

通过从规则页面中选择特定规则来访问资源时间线。

  1. 从左侧导航中选择 Rules (规则)

  2. 在“规则”页面上,选择评估您的相关资源的规则。如果屏幕上未显示任何规则,请使用 Add rule (添加规则) 按钮来添加规则。

  3. 在规则详细信息页面上,从已评估资源表中选择资源。

  4. 选择资源时间线按钮。将显示资源时间线。

查询合规性历史记录

get-resource-config-history 使用资源类型查询资源合规性历史记录AWS::Config::ResourceCompliance

aws configservice get-resource-config-history --resource-type AWS::Config::ResourceCompliance --resource-id AWS::S3::Bucket/configrules-bucket

您应该可以看到类似于如下所示的输出内容:

{ "configurationItems": [ { "configurationItemCaptureTime": 1539799966.921, "relationships": [ { "resourceType": "AWS::S3::Bucket", "resourceId": "configrules-bucket", "relationshipName": "Is associated with " } ] "tags": {}, "resourceType": "AWS::Config::ResourceCompliance", "resourceId": "AWS::S3::Bucket/configrules-bucket", "ConfigurationStateId": "1539799966921", "relatedEvents": []; "awsRegion": "us-west-2", "version": "1.3", "configurationItemMD5Hash": "", "supplementaryConfiguration": {}, "configuration": "{\"complianceType\":\"COMPLIANT\",\"targetResourceId\":\"configrules-bucket\",\"targetResourceType\":\"AWS::S3::Bucket\",\configRuleList"\":[{\"configRuleArn\":\"arn:aws:config:us-west-2:AccountID:config-rule/config-rule-w1gogw\",\"configRuleId\":\"config-rule-w1gogw\",\"configRuleName\":\"s3-bucket-logging-enabled\",\"complianceType\":\"COMPLIANT\"}]}", "configurationItemStatus": "ResourceDiscovered", "accountId": "AccountID" } ] }