本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
查看 Amazon 资源的合规历史记录
重要
要准确报告合规性状态,必须记录 AWS::Config::ResourceCompliance 资源类型。有关更多信息,请参阅录制 Amazon 资源。
您可以在 Amazon Config 控制台中查看配置、关系和对资源所做的更改次数。您可以使用查看资源的配置历史记录 Amazon CLI。
查看合规性历史记录(控制台)
当您在资源清单页面上查找资源时,选择资源标识符列中的资源名称或 ID 可查看资源的详细信息页面。详细信息页面提供了有关该资源的配置、关系和更改次数的信息。
要从资源详细信息页面访问资源时间表,请选择资源时间表按钮。资源时间线将特定资源在一段时间内的更改捕获为 ConfigurationItems。您可以按配置事件、合规性事件或 CloudTrail事件进行筛选。
查看合规性历史记录 (Amazon CLI)
Amazon Config 记录的配置项目以配置快照和配置流的形式按需传送到指定的交付渠道。您可以使用 Amazon CLI 来查看每种资源的配置项目历史记录。
查看配置历史记录
输入get-resource-config-history命令并指定资源类型和资源 ID,例如:
$ aws configservice get-resource-config-history --resource-type AWS::EC2::SecurityGroup --resource-id sg-6fbb3807 { "configurationItems": [ { "configurationItemCaptureTime": 1414708529.9219999, "relationships": [ { "resourceType": "AWS::EC2::Instance", "resourceId": "i-7a3b232a", "relationshipName": "Is associated with Instance" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-8b6eb2ab", "relationshipName": "Is associated with Instance" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-c478efe5", "relationshipName": "Is associated with Instance" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-e4cbe38d", "relationshipName": "Is associated with Instance" } ], "availabilityZone": "Not Applicable", "tags": {}, "resourceType": "AWS::EC2::SecurityGroup", "resourceId": "sg-6fbb3807", "configurationStateId": "1", "relatedEvents": [], "arn": "arn:aws:ec2:us-east-2:012345678912:security-group/default", "version": "1.0", "configurationItemMD5Hash": "860aa81fc3869e186b2ee00bc638a01a", "configuration": "{\"ownerId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\",\"description\":\"default group\",\"ipPermissions\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"userIdGroupPairs\":[{\"userId\":\"amazon-elb\",\"groupName\":\"amazon-elb-sg\",\"groupId\":\"sg-843f59ed\"}],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"udp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"icmp\",\"fromPort\":-1,\"toPort\":-1,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"tcp\",\"fromPort\":1433,\"toPort\":1433,\"userIdGroupPairs\":[],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":3389,\"toPort\":3389,\"userIdGroupPairs\":[],\"ipRanges\":[\"207.171.160.0/19\"]}],\"ipPermissionsEgress\":[],\"vpcId\":null,\"tags\":[]}", "configurationItemStatus": "ResourceDiscovered", "accountId": "605053316265" } ], "nextToken": ..........
有关响应字段的详细解释,请参阅 Components of a Configuration Item 和 支持的资源类型。
来自 Amazon Config的 Amazon EBS 配置历史记录示例
Amazon Config 生成一组文件,每个文件代表一种资源类型,并列出 Amazon Config 正在记录的该类型资源的所有配置更改。 Amazon Config 将此以资源为中心的配置历史记录作为对象导出到您在启用时指定的 Amazon S3 存储桶中。 Amazon Config每个资源类型的配置历史记录文件中包含自上一个历史记录文件传送完毕后检测到的该类型资源出现的更改。历史记录文件通常每六小时传送一次。
以下是 Amazon S3 对象内容的示例,该对象描述了当前区域中所有 Amazon Elastic Block Store 卷的配置历史记录 Amazon Web Services 账户。此账户中的卷包括 vol-ce676ccc 和 vol-cia007c。卷 vol-ce676ccc 自上一个历史记录文件传送完毕后有两项配置更改,而卷 vol-cia007c 只有一项更改。
{ "fileVersion": "1.0", "requestId": "asudf8ow-4e34-4f32-afeb-0ace5bf3trye", "configurationItems": [ { "snapshotVersion": "1.0", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T23:47:08.918Z", "configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-adb69edbb1e4", "c376e30d-71a2-4694-89b7-a5a04ad92281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T21:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T21:43:53.0885+0000", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume1" } ], "volumeType": "standard" } }, { "configurationItemVersion": "1.0", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T21:47:08.918Z", "configurationItemState": "3e660fdf-4e34-4f32-sseb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-ad229edbb1e4", "c376e30d-71a2-4694-89b7-a5a04w292281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T21:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T21:43:53.0885+0000", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume1" } ], "volumeType": "standard" } }, { "configurationItemVersion": "1.0", "resourceId": "vol-cia007c", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-cia007c", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T20:47:08.918Z", "configurationItemState": "3e660fdf-4e34-4f88-sseb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-adjhk8edbb1e4", "c376e30d-71a2-4694-89b7-a5a67u292281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T20:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344e563d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-cia007c", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T20:43:53.0885+0000", "attachments": [ { "volumeId": "vol-cia007c", "instanceId": "i-344e563d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume2" } ], "volumeType": "standard" } } ] }
查看资源和规则的合规性历史时间表
Amazon Config 支持存储由评估的资源的合规性状态更改 Amazon Config 规则。资源合规性历史记录以时间线的形式显示。时间线将特定资源在一段时间内的更改捕获为 ConfigurationItems。有关内容的信息ConfigurationItem,请参阅 Amazon Config API 参考ConfigurationItem中的。
您可以选择加入或选择退出记录 Amazon Config中的所有资源类型。如果您选择记录所有资源类型,则 Amazon Config 会自动开始记录由评估的资源合规性历史记录 Amazon Config 规则。默认情况下, Amazon Config 记录所有受支持资源的配置更改。您也可以仅选择特定的资源合规性历史记录资源类型:AWS::Config::ResourceCompliance。有关更多信息,请参阅录制 Amazon 记录。