本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用查看 Amazon 资源的合规历史记录 Amazon Config
**重要**
`AWS::Config::ResourceCompliance` 资源类型用于存储资源的历史合规性结果。Config 规则**无需**记录此资源类型即可评估资源或在控制台中查看当前合规状态。
记录 `AWS::Config::ResourceCompliance` 仅允许您在资源时间线中查看历史合规性变化趋势。如果您不需要历史合规性数据,可以排除此资源类型。有关选择要录制的资源的更多信息,请参阅[录制 Amazon 资源](https://docs.amazonaws.cn/config/latest/developerguide/select-resources.html)。
您可以在 Amazon Config 控制台中查看资源的配置、关系和更改次数。您可以使用查看资源的配置历史记录 Amazon CLI。
**Topics**
+ [查看合规性历史记录(控制台)](#view-config-details-console)
+ [查看合规性历史记录(Amazon CLI)](#view-config-details-cli)
+ [对于资源和规则](#view-compliance-history)
## 查看合规性历史记录(控制台)
### 使用控制台查看合规性历史记录
当您在**资源清单**页面上查找资源时,选择资源标识符列中的资源名称或 ID 可查看资源的详细信息页面。详细信息页面提供了有关该资源的配置、关系和更改次数的信息。
要从资源详细信息页面访问资源时间表,请选择**资源时间表**按钮。资源时间线将特定资源在一段时间内的更改捕获为。`ConfigurationItems`您可以按配置事件、合规性事件或 CloudTrail事件进行筛选。
## 查看合规性历史记录(Amazon CLI)
### 使用查看合规性历史记录 Amazon CLI
Amazon Config 记录的配置项目以配置快照和配置流的形式按需传送到指定的交付渠道。您可以使用 Amazon CLI 来查看每种资源的配置项目历史记录。
#### 查看配置历史记录
输入 [https://docs.amazonaws.cn/cli/latest/reference/configservice/get-resource-config-history.html](https://docs.amazonaws.cn/cli/latest/reference/configservice/get-resource-config-history.html) 命令并指定资源类型和资源 ID,例如:
```
$ aws configservice get-resource-config-history --resource-type AWS::EC2::SecurityGroup --resource-id sg-6fbb3807
{
"configurationItems": [
{
"configurationItemCaptureTime": 1414708529.9219999,
"relationships": [
{
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-7a3b232a",
"relationshipName": "Is associated with Instance"
},
{
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-8b6eb2ab",
"relationshipName": "Is associated with Instance"
},
{
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-c478efe5",
"relationshipName": "Is associated with Instance"
},
{
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-e4cbe38d",
"relationshipName": "Is associated with Instance"
}
],
"availabilityZone": "Not Applicable",
"tags": {},
"resourceType": "AWS::EC2::SecurityGroup",
"resourceId": "sg-6fbb3807",
"configurationStateId": "1",
"relatedEvents": [],
"arn": "arn:aws:ec2:us-east-2:012345678912:security-group/default",
"version": "1.0",
"configurationItemMD5Hash": "860aa81fc3869e186b2ee00bc638a01a",
"configuration": "{\"ownerId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\",\"description\":\"default group\",\"ipPermissions\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"userIdGroupPairs\":[{\"userId\":\"amazon-elb\",\"groupName\":\"amazon-elb-sg\",\"groupId\":\"sg-843f59ed\"}],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"udp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"icmp\",\"fromPort\":-1,\"toPort\":-1,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"tcp\",\"fromPort\":1433,\"toPort\":1433,\"userIdGroupPairs\":[],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":3389,\"toPort\":3389,\"userIdGroupPairs\":[],\"ipRanges\":[\"207.171.160.0/19\"]}],\"ipPermissionsEgress\":[],\"vpcId\":null,\"tags\":[]}",
"configurationItemStatus": "ResourceDiscovered",
"accountId": "605053316265"
}
],
"nextToken":
..........
```
有关响应字段的详细解释,请参阅 [配置项的组成部分](config-item-table.md) 和 [支持的资源类型 Amazon Config](resource-config-reference.md)
#### 来自 Amazon EBS 配置历史记录示例 Amazon Config
Amazon Config 生成一组文件,每个文件代表一种资源类型,并列出 Amazon Config 正在记录的该类型资源的所有配置更改。 Amazon Config 将此以资源为中心的配置历史记录作为对象导出到您在启用时指定的 Amazon S3 存储桶中。 Amazon Config每个资源类型的配置历史记录文件中包含自上一个历史记录文件传送完毕后检测到的该类型资源出现的更改。历史记录文件通常每六小时传送一次。
以下是 Amazon S3 对象内容的示例,其中描述了您的 Amazon Web Services 账户的当前区域中所有 Amazon Elastic Block Store 卷的配置历史记录。此账户中的卷包括 `vol-ce676ccc` 和 `vol-cia007c` 卷 `vol-ce676ccc` 自上一个历史记录文件传送完毕后有两项配置更改,而卷 `vol-cia007c` 只有一项更改。
```
{
"fileVersion": "1.0",
"requestId": "asudf8ow-4e34-4f32-afeb-0ace5bf3trye",
"configurationItems": [
{
"snapshotVersion": "1.0",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc",
"accountId": "12345678910",
"configurationItemCaptureTime": "2014-03-07T23:47:08.918Z",
"configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a",
"configurationItemStatus": "OK",
"relatedEvents": [
"06c12a39-eb35-11de-ae07-adb69edbb1e4",
"c376e30d-71a2-4694-89b7-a5a04ad92281"
],
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02-27T21:43:53.885Z",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-27T21:43:53.0885+0000",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
},
{
"tagName": "name",
"tagValue": "DataVolume1"
}
],
"volumeType": "standard"
}
},
{
"configurationItemVersion": "1.0",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc",
"accountId": "12345678910",
"configurationItemCaptureTime": "2014-03-07T21:47:08.918Z",
"configurationItemState": "3e660fdf-4e34-4f32-sseb-0ace5bf3d63a",
"configurationItemStatus": "OK",
"relatedEvents": [
"06c12a39-eb35-11de-ae07-ad229edbb1e4",
"c376e30d-71a2-4694-89b7-a5a04w292281"
],
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02-27T21:43:53.885Z",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-27T21:43:53.0885+0000",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
},
{
"tagName": "name",
"tagValue": "DataVolume1"
}
],
"volumeType": "standard"
}
},
{
"configurationItemVersion": "1.0",
"resourceId": "vol-cia007c",
"arn": "arn:aws:us-west-2b:123456789012:volume/vol-cia007c",
"accountId": "12345678910",
"configurationItemCaptureTime": "2014-03-07T20:47:08.918Z",
"configurationItemState": "3e660fdf-4e34-4f88-sseb-0ace5bf3d63a",
"configurationItemStatus": "OK",
"relatedEvents": [
"06c12a39-eb35-11de-ae07-adjhk8edbb1e4",
"c376e30d-71a2-4694-89b7-a5a67u292281"
],
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02-27T20:43:53.885Z",
"tags": {},
"relationships": [
{
"resourceId": "i-344e563d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-cia007c",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-27T20:43:53.0885+0000",
"attachments": [
{
"volumeId": "vol-cia007c",
"instanceId": "i-344e563d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
},
{
"tagName": "name",
"tagValue": "DataVolume2"
}
],
"volumeType": "standard"
}
}
]
}
```
## 查看资源和规则的合规性历史记录时间线
Amazon Config 支持存储由评估的资源的合规性状态更改 Amazon Config 规则。资源合规性历史记录以时间线的形式显示。时间线将特定资源在一段时间内的更改捕获为。`ConfigurationItems`有关内容的信息`ConfigurationItem`,请参阅 Amazon Config API 参考[ConfigurationItem](https://docs.amazonaws.cn/config/latest/APIReference/API_ConfigurationItem.html)中的。
您可以选择加入或选择退出记录 Amazon Config中的所有资源类型。如果您选择记录所有资源类型,则 Amazon Config 会自动开始记录由评估的资源合规性历史记录 Amazon Config 规则。默认情况下, Amazon Config 记录所有受支持资源的配置更改。您也可以仅选择特定的资源合规性历史记录资源类型:`AWS::Config::ResourceCompliance`。有关更多信息,请参阅[录制 Amazon 记录](https://docs.amazonaws.cn/config/latest/developerguide/select-resources.html#select-resources-console)。
------
#### [ Viewing Resource Timeline Using Resources ]
通过从资源清单页面中选择特定资源来访问资源时间线。
1. 从左侧导航中选择**资源**。
1. 在“资源”清单页面上,您可以按资源类别、资源类型和合规性状态进行筛选。根据需要选择**包括已删除的资源**。
该表显示了资源类型的资源标识符和该资源的资源合规性状态。资源标识符可以是资源 ID,也可以是资源名称。
1. 从资源标识符列中选择资源。
1. 选择**资源时间表**按钮。您可以按配置事件、合规性事件或 CloudTrail 事件进行筛选。
**注意**
或者,在“资源”清单页面上,您可以直接选择资源名称。要从资源详细信息页面访问资源时间表,请选择**资源时间表**按钮。
------
#### [ Viewing Resource Timeline Using Rules ]
通过从规则页面中选择特定规则来访问资源时间线。
1. 从左侧导航中选择 **Rules(规则)**。
1. 在“规则”页面上,选择评估您的相关资源的规则。如果屏幕上未显示任何规则,请使用 **Add rule(添加规则)**按钮来添加规则。
1. 在规则详细信息页面上,从已评估资源表中选择资源。
1. 选择**资源时间线**按钮。将显示资源时间线。
------